The Evolution of LAN Environment: HUB: Single Collision Domain. Half Duplex SWITCH (Layer2): Multiple Collision Domains. Support Full Duplex. Single Broadcast Domain. SWITCH (Layer3): Also has Routing capability.
Cisco’s Enterprise Composite Network Model: Problem with ‘Plug and Play’ switching model: 1. Chances of failure 2. Broadcast traffic 3. Mulsticasting issues 4. Security issues 5. MAC flooding
Core Layer Distribution Layer
Access Layer
Switch Operating Systems: • •
CatOS IOS
VLAN: Facts: 1. 2. 3. 4. 5.
Logical separation Each VLAN is a separate subnet Each VLAN is a separate broadcast domain Each VLAN can have its own QoS and Access Control VLANs are stored in flash as ‘vlan.dat’ file. So erasing the nvram won’t delete vlans. Delete ‘vlan.dat’. 6. Each VLAN runs its own STP, thus called PVST (Per-VLAN Spanning Tree) 7. One Root bridge is elected for each VLAN
Guidelines: 1. Restrict VLANs to switch blocks, otherwise we have to use trunk to carry all broadcast VLAN traffic. In other words, local VLANs shouldn’t extend beyond the Distribution layer. VLANs should be created around physical boundaries. For eg. Access Layer’s physical boundary is Distribution Layer and Distribution Layer’s physical boundary is Core Layer. 2. Implement Management VLAN. 3. Separate Voice traffic not only for QoS but also for security. 4. Implement multicast support. 5. Implement inter VLAN routing. Configuration: 1. Create VLAN • Old way (through ‘vlan database’) Disadvantage: if we do ^Z then VLAN configuration is lost. We need to type EXIT instead of ^Z to save the configuration. • New Way (through ‘user config mode’) SW(Config)#vlan 10 name SALES 2. Change the mode of a port. • Access – (for Access layer devices, for e.g. PC, Printers etc., no advertisement) SW(Config-if)#switchport mode access • Trunk – (for Trunking, advertise DTP [Dynamic Trunking Protocol] & VTP) • Dynamic Desirable – (dynamically negotiates and desires to be Trunk, advertise DTP & VTP) • Dynamic Auto – (dynamically negotiates but don’t have any desire, no advertisement) • Non-negotiate – (do not advertise any DTP & VTP, even if the port is Trunk) 3. Assign that port to a VLAN SW(Config-if)#switchport access vlan 10 4. Verify VLAN with ‘show vlan’ command. 5. Verify port mode with ‘show int f0/0 switchport’. Check ‘Administrative mode and Operational mode fields’
6. Make sure to turn all access layer ports to Access mode for security reasons. SW(Config)#int range f0/0 - 15 SW(Config-if-range)#switchport mode access
Trunking: 1. Trunking protocols: a. ISL (Inter-Switch Link) – Cisco proprietary & encapsulates the entire frame. Thus adds 26 bytes header (out of which VLAN tag is only 2 byte, but rest is junk for future use) [not supported on 2950] b. 802.1q – Open standard & inserts tag into frame instead of encapsulation. Only 4 byte tag is inserted (including 3 bit for priority) 2. Configure Trunk protocol (either ISL or 802.1q) SW(Config-if)#switchport trunk encapsulation dot1q 3. If using 802.1q, make sure Native VLAN is configured properly. Because if a 802.1q trunk port receives an untagged packet, it won’t know what to do with it. Then if we configure Native VLAN, we must make sure it’s same on the adjacent switch, otherwise we will receive Native VLAN mismatch error. (Native VLAN is practically required in VOIP where we don’t want separate ether for our PC in the cubical. We would just like to use the ether port on the VOIP phone to connect our PC too. VOIP phone has the capability of sending VLAN tagged packet, but PC always sends untagged packet, which will be then discarded by switch if Native VLAN is not configured.) SW(Config-if)#switchport trunk native vlan 10 4. Configure a port mode to Trunk and use Non-negotiate. SW(Config-if)#switchport nonnegotiate 5. If not using VTP pruning then manually configure the allowed VLANs to pass through the trunk. SW(Config-if)#switchport trunk allowed vlan 10,20,30 6. Verify using ‘sh int f0/0 trunk’ command VTP (VLAN Trunking Protocol): 1. Basically used to replicate VLAN revisions to switches. a. Advantage: We don’t have to manually configure VLANs in every switches b. Disadvantage: Can be a huge problem if not properly used. Scenario: If we mistakenly connect a switch consists of different VLANs and that switch is a VTP server with a same domain name too, then it will advertise VTP updates to all client switches and will thus result into flushing of their vlan database with the new information. This will result into a complete network outage because the ports of those client switches were configured for the VLANs which are now lost. 2. Configure VTP domain. Domain name is case sensitive. SW(config)#vtp domain cisco.com 3. Configure VTP mode
Server (Has power to update; saves vlan configuration; there should be only one server) • Client (Cannot update, do not save vlan configuration) SW(config)#vtp mode client • Transparent (Forwards VTP updates if Version2 is configured; has power to update but never updates; saves vlan configuration but never advertise) 4. Configure VTP Pruning (Keep unnecessary broadcast traffic from crossing trunk links; only works on VTP server) SW(config)#vtp pruning 5. Verify with ‘sh vtp status’ command •
STP (Spanning Tree Protocol): 802.1d Facts: 1. Used to avoid loops (by dropping trees on redundant link). Otherwise broadcast packets will keep on looping out of all the interfaces of the switches and clog the network. 2. Switches send BPDU (Bridge Protocol Data Unit) probes (every 2 seconds) to detect loops in the network. These BPDU packets consist of MAC address and Priorities that are used to elect Root switch. If a BPDU probe sent by a switch is received by the same switch, then that switch learns about the loop in the network and makes a decision to block a link based on the best path to reach Root switch. (Priority bits are made up of 4 bits, therefore priority is a multiple of 4096, so as to achieve the highest value till 61440; if Priority is same then MAC address is the tie breaker. Lower wins) 3. Make sure only Core switches are elected as Root by increasing the priority manually. Otherwise, the purpose of having the campus network model will be defeated. Core switches can handle much more traffic as compared to Access & Distribution layer switches. 4. PORTS ROLES: • Root port: Used to reach thee Root switch • Designated port/Forwarding port: All ports in a Root switch are Forwarding. Further, there should be atleast ONE forwarding port per link. • Blocking: Where the tree fell. (Basically one who has highest MAC address) Root D
D
19
19
R
R D
19
B
5. STATES: Listening: 15 sec of listening for BPDU Learning: 15 sec of learning MAC address Forwarding: 0 sec of port is forwarding traffic Blocking: Switch will wait upto 20 sec before moving a blocked port into listening phase.
In case of Equal Cost Links to the upstream, blocking of port is decided upon Bridge-ID (i.e. Priority + MAC) • If the Bridge ID is also equal, then blocking of port is decided upon lowest port no. 6. Each VLAN runs its own STP by default, thus called PVST (Per-VLAN Spanning Tree). A VLAN tag is inserted between Priority and MAC field. VLAN no. is added to the priority. (that’s why every switch has a default priority 32768+1=32769) SW(Config)#Spanning-tree mode pvst 7. One Root bridge is elected for each VLAN. This can help us building load balancing by applying priority to each VLAN’s instance of STP. SW(config)#Spanning-tree vlan 10 root primary SW(config)#Spanning-tree vlan 10 root secondary SW(config)#Spanning-tree vlan 10 root priority Configuration: 1. Configure STP and assign priority 2. Verify using ‘sh spanning-tree’ command •
RSTP (Rapid Spanning Tree): 802.1w STP takes 30 sec to converge when switch starts for the first time and 50 sec to re-converge after blocking. To avoid this delay, we use RSTP. STATES: • Learning • Discarding • Forwarding PORT ROLES: • Root
• • •
Designated Alternate Edge Root D
D
R
R D
A
E
1. To avoid 30 sec delay when switch starts, use ‘SW(config)#spanning-tree portfast’ command. But only on non-trunking ports (for e.g. ports connected to host) 2. Unlike STP where the ports are blocked and forgotten, in RSTP for are blocked but are not forgotten. Therefore, there is no re-computation delay to bring the blocked port to forwarding. 3. It thinks proactive, thus if a link goes down RSTP send a TC (topology change) packet and inform others. Configuration: SW(Config)#Spanning-tree mode rapid-pvst ‘OR’ SW(Config)#Spanning-tree uplinkfast MST (Multiple Spanning Tree): To run STP for a group of VLANs rather than a single VLAN. SW(Config)#Spanning-tree mode mst
EtherChannel: 1. Combining multiple Ethernet links to get a high bandwidth single channel. 2. Negotiation Protocols: a. PAGP (Port Aggregation Protocol): Cisco proprietary; port modes: Auto, Desirable, On b. LACP (Link Aggregation Control Protocol): Industry standard 802.3ad; port modes: Passive , Active, On 3. Two flavors: • Layer2 Etherchannel SW(config)#int range f0/23 – 24
•
SW(config-if-range)#channel-protocol lacp SW(config-if-range)#channel-group 1 mode on Layer3 Etherchannel SW(config)#int port-channel 1 SW(config-if)#no switchport SW(config-if)#ip add 10.1.1.1 255.255.255.0 SW(config-if)#int range f0/23 – 24 SW(config-if)#no switchport SW(config-if-range)#channel-protocol lacp SW(config-if-range)#channel-group 1 mode on
4. Verify: sh etherchannel 1 port sh etherchannel detail Guidelines: 1. All ports must use same speed and duplex. 2. Interfaces in bundle must be in same VLAN or Trunk 3. Any changes to port channel affects all bundled ports. 4. Any changes to individual ports affect only that port.
Inter-VLAN Routing: Router-on-a-stick: Advantage: • Simple to setup • Lower cost Disadvantage: • Congestion on link • Single point of failure • Delay of routing Configuration: • Configure Trunk connecting Router SW(config-if)#switchport trunk encapsulation dot1q SW(config-if)#switchport mode trunk • Create sub interfaces on Router Router(config)#int f0/0 Router(config-if)#no shut Router(config-if)#speed 100 Router(config-if)#duplex full Router(config-if)#int f0/0.10 Router(config-subif)#encapsulation dot1q Router(config-subif)#ip add 10.1.10.1 255.255.255.0 Router(config-if)#int f0/0.20 Router(config-subif)#encapsulation dot1q Router(config-subif)#ip add 10.1. 20.1 255.255.255.0
•
Configure Default Gateway on PCs according to VLANs
Multilayer Switching: Advantage: • Routing at wire speed • Backplane bandwidth • Redundancy enabled Disadvantage: • Cost Configuration: • Create SVI SW(config)#int vlan 10 SW(config-if)#ip add 10.1.10.1 255.255.255.0 SW(config-if)#no shut SW(config)#int vlan 20 SW(config-if)#ip add 10.1.20.1 255.255.255.0 SW(config-if)#no shut • Enable IP Routing SW(config)#ip routing • Create Routed Ports (optional) SW(config)#int f0/0 SW(config-if)#no switchport SW(config-if)#ip add 10.1.24.1 255.255.255.252 • Enable Routing protocols (optional) SW(config)#router eigrp 1 SW(config-if)#no auto SW(config-if)#net 10.0.0.0
Computes routes and copy those to FIB
Some Facts: • Router and L3 switch both have IOS software routing • Software routing is relatively slow compared to ASIC (Application Specific Integrated Circuitry) • L3 switches can play a little software – hardware trick. First Time
FIB
Next Time
Contains Routing table
First Time
L3 Engine
ADJ Table
Next Time
At Wire Speed Corresponding MAC addresses for all the Routes in FIB
Disadvantages of CEF: • Any packet with Header options are not supported • Packets with TTL time expired not supported • Packets with unsupported encapsulation • Packets requiring Fragmentation (MTU exceed) not supported. • Packets destined to tunnel interface not supported. Verify: sh ip cef
Managing Redundancy: HSRP (Hot-Standby Router Protocol): • Created by Cisco, for Cisco 1994 • Uses a default hello timer of 3 sec with hold timer of 10 sec, but are tunable. • One gateway is active at a time. Others are in standby state. • Virtual IP & MAC address is generated. 0000.0c07.acxx; 0000.0c is Cisco vendor ID, 07.ac is HSRP ID, xx is standby group no. • PCs use this Virtual IP address as their default gateway. Configuration: a) Add standby groups and Virtual IP address on all switches. SW(config)#int VLAN 70 SW(config-if)#standby 1 ip 172.30.70.1 b) Verify sh standby c) Optimize and Tune SW(config-if)#standby 1 priority 150 [100 is default, higher priority gets active] SW(config-if)#standby 1 preempt delay reload 180 [If the desired switch comes back then it will preempt the current active switch and will take its position back; but be careful of flapping links and thus always use delay command] SW(config-if)#standby 1 track f0/0 60 [Makes it link specific, if a specific link goes down then switch decrements its priority; but it has to be configured with preempt above] SW(config-if)#standby 1 timers msec 150 msec 700 VRRP (Virtual Router Redundancy Protocol): a) Created by IETF in 1999 b) Uses a default hello timer of 1 sec and hold timer of 3 sec + skew timer c) One gateway is master at a time. Others are in backup state. d) Master router can share virtual IP Configuration: a) Add VRRP groups and Virtual IP address on all switches. SW(config)#int VLAN 70
SW(config-if)#vrrp 1 ip 172.30.70.1 [ip address of one of the physical interface] b) Verify sh vrrp c) Optimize and Tune SW(config-if)#vrrp 1 priority 150 SW(config-if)#vrrp 1 preempt delay reload 180 SW(config-if)#vrrp 1 track f0/0 60 SW(config-if)#vrrp 1 timers advertise msec 100 [configure it on master] GLBP (Gateway Load Balancing Protocol): • Created by Cisco, for Cisco 2005 • Identical to HSRP, but allows load balancing. • Single Virtual IP with multiple real MAC • Active virtual gateway act as ‘point man’ • Other switches act as Active Virtual Forwarders Configuration: a) Add VRRP groups and Virtual IP address on all switches. SW(config)#int VLAN 70 SW(config-if)#glbp 1 ip 172.30.70.1 [ip address of one of the physical interface] b) Verify sh glbp c) Optimize and Tune SW(config-if)#glbp 1 priority 150 [Who will be AVG] SW(config-if)#glbp 1 load-balancing [host-dependent/roundrobin/weighted] [round-robin is default] SW(config-if)#glbp 1 timers redirect 100 [specify timeout value for failed forwarders]
WIRELESS LAN: Types of Wireless network: • • • •
PAN – Bluetooth network (10 meters) LAN – Cisco or Linksys access point (100 meters) MAN – City wide wireless connection WAN – GSM, GPRS, 3G
Facts: •
WAP (Wireless Access Point): Acts like a hub; i.e., shared signal & half duplex. o Autonomous AP: Standalone; IOS based; Can be centrally controlled using Wireless Domain Services (WDS); Managed using Ciscoworks WLAN Solution Engine (WLSE)
• • • •
•
o Lightweight AP: Server dependent; Zero-configuration (Dumb); Can be centrally controlled using Wireless LAN Controller that has all the intelligence; Managed using Cisco Wireless Control System (WCS) optional; Lightweight Access Point Protocol (LWAPP) is used between controller and WAPs; MAC is associated with WLC instead of WAP. o Indoor AP – 1130AG, 1240AG o Outdoor AP – 1300 series, 1400 series (Autonomous only) Is a physical & data-link standard. 802.11b, 802.11g, 802.11a Uses CSMA/CA instead of CSMA/CD Faces connectivity issues because of interference. Uses SSID (Service Set Identifier) to uniquely identify and separate wireless networks. When wireless is enables, client issues a probe and WAP responds with a beacon. Client then associates itself with a chosen SSID. WAP adds client MAC to association table. RF service areas should have 10-15% overlap. Solid coverage provides better battery life. For seamless roaming, WAP should support roaming features, because MAC are usually locked until the connectivity is lost. Two flavors of Roaming: a) Layer 2 Roaming Same SSID, VLAN & subnet b) Layer 3 Roaming Same SSID; Source IP address gets encapsulated inside other service area subnet IP, when they are in.
Topology: WAP
Distribution Layer
• •
Access Layer Wireless Bridge
Repeaters should have 50% overlap Client should prefer ‘Data Rate Shifts’ or ‘Periodic Intervals’ to find out when to change area.
•
•
• •
•
Upper end WAPs also supports multiple VLANs. Different SSIDs are associated with different VLANs. This provides multiple security levels, subnets and access privilege. Uses unlicensed bands of radio frequency 900 MHz, 2.4 GHz, 5-6GHz; Higher the frequency Greater the bandwidth Shorter the range. Bordering WAPs should use different channels. 802.11b & 802.11g has 3 clear channels, 802.11a has 12 clear channels. The wired security evolution o 1997 – Wired Equivalent Privacy (WEP) o 2001 – 802.1x Extensible Authentication Protocol (EAP) o 2003 - Wi-Fi Protected Access (WPA) uses TKIP o 2004 – IEEE 802.11i (WPA2) uses AES Antennas: Omni-Directional, Directional, Yagi
Layer 2 Attack 1. Hacker can use any hacking tool and send MAC addresses continuously to a port until the CAM table of that switch fills up and fails to learn any more MAC addresses. The switch then turns into a Hub and starts sending everything to everybody to make sure everybody gets the data they are looking for. Hacker then use packet sniffer to have easy access to any data that is passing through. 2. Hacker negotiates a Trunk connection with a switch and moves between VLANs. This is called VLAN Hopping Attack. In this way, hacker can even sneak into VOIP VLAN and record voice conversation into wav files. 3. Hacker can act as a Man-In-The-Middle. When host sends an ARP message asking for MAC address of the Authentication server, hacker sends its own. In this way, host starts sending packets to Hacker and hacker relays those packets to Authentication Server, pretending as if it’s that host. In this way, Authentication server also starts sending packets to Hacker.
Security Measures: •
Use secure MAC address SW(config-if)#switchport mode access [access mode is necessary to enable port security] SW(config-if)#switchport port-security mac-address a000.hcs1.010f [make sure you type as many MAC addresses as you defined using ‘maximum’ command, or the security purpose of manually typing MAC addressed will be defeated] ‘OR’ SW(config-if)#switchport port-security mac-address sticky [It will start assigning the MAC addresses to thee port everytime we plug into it, this will save manually typing MAC addresses] Verify using ‘sh mac-add int f0/0’
Remember to do Save run config • •
• •
Limit no. of MAC addresses per port SW(config-if)#switchport port-security maximum 1 Configure Violation mode SW(config-if)#switchport port-security violation [shutdown/restrict/protect] [Shutdown is default] Verify using ‘sh port-security int f0/0’ ‘sh interface status’ To re-enable a shutdown port, do ‘shut’ then ‘no shut’ on that interface ‘OR’ SW(config)#errdisable recovery cause security-violation SW(config)#errdisable recovery interval 60 sh errdisable recovery
Identity Based Network Services 802.1x (using RADIUS or TACACS+): Protocols: EAP – TLS EAP – PEAP EAP – LEAP EAP doesn’t require Switch to look inside the EAP packet but still make the Switch able to participate in authentication. Because of this, we can use thee same old switch with many forthcoming technology of authentication. Whereas, other authentication protocols like MD5 is totally opposite. Configuration: SW(config)#aaa new-model SW(config)#aaa authentication dot1x default group radius SW(config)#dot1x system-auth-control SW(config)#int f0/0 SW(config-if)#dot1x port-control auto
Preventing VLAN Hopping Attack (using Private VLANs):
It’s VLAN within VLAN
Community VLAN 30
Promiscuous VLAN
Connectivity
Isolated VLAN 50
Community VLAN 70
Configuration: Private VLANs can only be configured on Transparent mode VTP • Create Private VLANs SW(config)#vtp mode transparent SW(config)#vlan 30 SW(config-vlan)#private-vlan community SW(config-vlan)#vlan 50 SW(config-vlan)#private-vlan isolated SW(config-vlan)#vlan 100 SW(config-vlan)#private-vlan primary SW(config-vlan)#private-vlan association 30,50 SW(config-vlan)#vlan 70 SW(config-vlan)#private-vlan community SW(config-vlan)#vlan 200 SW(config-vlan)#private-vlan primary SW(config-vlan)#private-vlan association 70 •
Verify: sh vlan private-vlan type
•
Associate ports SW(config)#int f0/0
• •
SW(config-if)#switchport mode private-vlan host SW(config-if)#switchport mode private-vlan host-association 100 30 SW(config-if)#int f0/1 SW(config-if)#switchport mode private-vlan host SW(config-if)#switchport mode private-vlan host-association 100 30 SW(config-if)#int f0/2 SW(config-if)#switchport mode private-vlan host SW(config-if)#switchport mode private-vlan host-association 100 50 SW(config-if)#int f0/3 SW(config-if)#switchport mode private-vlan host SW(config-if)#switchport mode private-vlan host-association 200 70 SW(config-if)#int f0/4 SW(config-if)#switchport mode private-vlan promiscuous Mapping on Promiscuous port SW(config-if)#switchport mode private-vlan mapping 100 30,50 Verify: sh vlan private-vlan
Preventing Man-In-The-Middle Attack (using DHCP Snooping): SW(config)#ip dhcp snooping SW(config)#int f0/0 SW(config-if)#ip dhcp snooping trust [It will now accept DHCP replies only on this trusted port] sh ip dhcp snooping binding ‘OR’ SW(config-if)#ip verify source vlan dhcp snooping port-security
Prevent STP manipulation (using BPDU guard): SW(config-if)#spanning-tree bpduguard enable [on trunk interface]
Prevent a Root Switch to allow any Switch attached to its specific port to become a root (using Root guard): instead of marking that port error disabled it will mark it inconsistent. SW(config-if)#spanning-tree guard root