One thing that I noticed while studying for the SWITCH exam is that VTP sections always skip a very important note about how VTP can cause a lot of trouble. A lot of folks including me don't use VTP unless we've been told we have to. But the fact still remains it's on our Cisco exams, it has to be explored and that exploration can lead to some of us deploying it. That's why we go and learn about this stuff, to roll it out into production if it makes sense. So from what we all read and experience, choose VTP servers closest to the points of network management, make your VTP clients all the rest and VTP transparent switches for the one-offs. This is more or less how I've done it in the real world also. But a VTP client can actually wipe out everything on your VTP server if it's revision number is higher than your VTP server. It does take a very unique situation, but it's not impossible. I put together a simple lab to illustrate it. Let's take the following..

Here is the east side of the network, and SW1 is acting the core switch and VTP server for your access layer.

SW1(config)#do sh vtp sta

VTP Version                     : 2

Configuration Revision          : 10

Maximum VLANs supported locally : 1005

Number of existing VLANs        : 11

VTP Operating Mode              : Server

VTP Domain Name                 : CISCO

VTP Pruning Mode                : Disabled

VTP V2 Mode                     : Enabled

VTP Traps Generation            : Disabled

MD5 digest                      : 0×30 0xC8 0xBE 0xD2 0×02 0x4C 0x4B 0xB3 

SW1(config)#do sh vlan bri

 

VLAN Name                             Status    Ports

—- ——————————– ——— ——————————-

1    default                          active    F0/1, F0/2, Fa0/3, Fa0/4, Fa0/5, Fa0/6

                                                    Fa0/23, Fa0/24

40   VLAN0040                         Fa0/11, Fa0/12, Fa0/13, Fa0/14    

50   VLAN0050                         active    

60   VLAN0060                          Fa0/7, Fa0/8, Fa0/9, Fa0/10    

70   VLAN0070                         Fa0/15, Fa0/16, Fa0/17, Fa0/18    

80   VLAN0080                         Gi0/2    

90   VLAN0090                         Fa0/19, Fa0/20, Fa0/21, Fa0/22

1002 fddi-default                     act/unsup 

1003 trcrf-default                    act/unsup 

1004 fddinet-default                  act/unsup 

1005 trbrf-default                    act/unsup 

SW2(config-vlan)#vtp mode client

SW2(config)#int Gi0/1

SW2(config-if)#no shut

SW1#

2d21h: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to up

2d21h: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to up

 

2d21h: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to up

2d21h: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to up

SW1(config)#do sh vlan bri

 

VLAN Name                             Status    Ports

—- ——————————– ——— ——————————-

1    default                          active    F0/1, F0/2, Fa0/3, Fa0/4, Fa0/5, Fa0/6

                                                Fa0/19, Fa0/20, Fa0/21, Fa0/22

                                                Fa0/23, Fa0/24

100  VLAN0100                         active    

101  VLAN0101                         active    

102  VLAN0102                         active    

103  VLAN0103                         active    

104  VLAN0104                         active    

105  VLAN0105                         active    

1002 fddi-default                     act/unsup 

1003 trcrf-default                    act/unsup 

1004 fddinet-default                  act/unsup 

1005 trbrf-default                    act/unsup 

SW2#sh vlan bri

 

VLAN Name                             Status    Ports

—- ——————————– ——— ——————————-

1    default                          active    Fa0/1, Fa0/2, Fa0/3, Fa0/4

                                                     Fa0/23, Fa0/24

100  VLAN0100                         active    

101  VLAN0101                         Fa0/15, Fa0/16, Fa0/17, Fa0/18    

102  VLAN0102                         Fa0/19, Fa0/20, Fa0/21, Fa0/22    

103  VLAN0103                         Fa0/9, Fa0/10, Fa0/13, Fa0/14    

104  VLAN0104                         Gi0/2    

105  VLAN0105                         active

106  VLAN0103                         Fa0/5, Fa0/6, Fa0/7, Fa0/8    

1002 fddi-default                     act/unsup 

1003 trcrf-default                    act/unsup 

1004 fddinet-default                  act/unsup 

1005 trbrf-default                    act/unsup 

1. Be sure that the switch is OFF net and you are consoled in to the CLI.
2. Perform a write erase
3. Delete the vlan.dat file
4. Set the VTP mode to Transparent or change the VTP Domain name
   1. Personally I'd set it to Transparent mode.
5. Reload the switch
6. Check the VTP status
   1. Review the Configuration Revision number
   2. Review the number of VLANs
   3. Review the VTP Domain Name

SW2#write erase 

Erasing the nvram filesystem will remove all configuration files! Continue? [confirm]

[OK]

Erase of nvram: complete

 

00:02:20: %SYS-7-NV_BLOCK_INIT: Initalized the geometry of nvramele

 

SW2#delete flash:vlan.dat

Delete filename [vlan.dat]? 

Delete flash:vlan.dat? [confirm]

 

SW2(config)#vtp mode transparent 

Setting device to VTP TRANSPARENT mode

 

Switch#sh vtp status 

VTP Version                     : 2

Configuration Revision          : 0 << Revision # set to 0

Maximum VLANs supported locally : 1005

Number of existing VLANs        : 5 << These are the default VLANS

VTP Operating Mode              : Server

VTP Domain Name                 : 

VTP Pruning Mode                : Disabled

VTP V2 Mode                     : Disabled

VTP Traps Generation            : Disabled

MD5 digest                      : 0×57 0xCD 0×40 0×65 0×63 0×59 0×47 0xBD 

Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00

Local updater ID is 0.0.0.0 (no valid interface found)

Some time last year I was invited to demo @BosonSoftware CCNP TSHOOT ExSim-Max and NetSim. At the time, I wasn’t able to play with it too much. But the short time I did toy with it I was intrigued and decided (see here where I was contemplating the purchase) to invest in the SWITCH ExSim-Max right that moment since that’s what I’m currently working on. I wasn’t in full study mode cause it was the holidays, but we’re hoarders so it was a typical move for me; I knew I’d need it later. I also got 10% off the ExSim as a holiday promotion

I just wanted to share with you guys the value I see in these tools.

ExSim-Max

This Boson ExSim-Max application is the missing link I’ve needed since July 2010 (when I passed the BSCI and began working on SWITCH). Since I started using it I’ve learned that I’ve got a ton of the SWITCH material down, but a lot of the small stuff is where I fall short. No worries on the small stuff I get wrong though – when I answer a question incorrectly, the explanations given are superb enough to help me learn! Excellent details and explanations of the correct answer and even why each of the _wrong_ available answers is incorrect and what those incorrect answers _would_ do if you used them. For me, this was big! It keeps track of my progress and lets me know exactly where I need the help. This helps me take notes on where I need to read up so when i do run into more time (yea right!), I know exactly what chapters and sections to hit!

ExSim-Max feels almost like the real exam, the real deal – hehehe. The interface is very simple to work with and gets right to the point. It has an auto-update feature to update the exams, questions, maybe answers, additions to the exams or maybe correct incorrect explanations – I like that! The application is approved by Cisco and is all legit for use as study material. It’s so hard to find (if you know of others please share) any other application like this out there, that are also legal for exam studies

Another cool feature is the simulator questions, when you come to a question that requires you to pound out commands in the CLI, just like the Cisco exam; you have to launch the simulator. You have to install the the Boson Exam Environment (BEE) framework which links all of this together. Again, even with the simulation/lab/CLI questions – when you’re marked wrong or right you get a very nice explanation.

There are 2 types of ExSim applications. One is the ExSim-Max and the other is the normal ExSim. The differences are a big deal in my opinion!

ExSim-Max features not in ExSim.

• Written by Boson’s authors, who are leading subject-matter experts
• Quality assurance (technical & language)
• Guarantee
  

For a difference of only $40, it’s well worth the investment to just go on and get the full ExSim-Max.

NetSim

Similar to the platform the simulator questions are delivered on, Netsim is the full blown simulator tool. NetSim software for the purpose it’s sold, packs a ton of practice and is a huge benefit to my studies. I’m not sure why, but you must purchase the whole NetSim application that contains labs for CCNA and CCNP (SWITCH, TSHOOT and ROUTE). This is my only issue because for folks with little pocket money, it’d help to slim down the cost by just purchasing what you need and be on your way to studying and labbing and not going broke. The software itself can take some getting use to, but once you familiarize yourself with the interface you’ll be labbing in no time! There is a total of 17 CCNP SWITCH labs which are accompanied by full lab scenarios, goals, etc.

The labs get you down into just about every topic covered on the CCNP SWITCH exam. Most of the labs included with NetSim are similar to that of the older version of NetSim. They can also be printed into PDF which I found useful to recover some desktop/screen real estate and just work from the printed PDFs.

You can even create labs yourself using the lab compiler. The simulator does a great job giving you nearly every (what you need) command needed to cover the SWITCH material

Overall I have to admit that the NetSim application doesn’t replace your home lab or even GNS3 (for routing ). It’s not a true IOS environment, it’s an emulator so keep that in mind – but it packs a ton of awesomeness for routing and switching in terms of covering the necessary commands for the study materials. I think it’s important to point this out. You don’t need every command available in IOS to pass the ROUTE, TSHOOT or SWITCH exam, so essentially you get what you need. This is a study platform, not a simulator to help with testing, labbing or emulating work related networks – but depending what you’re trying to do you can probably do plenty of that depending on the complexity of what you’re trying to do.

CCNP and CCNA isn’t the only level material Boson covers. They also cover CCIE R&S, CCIP, CCDA, CCNA Voice and more!

One thing that is very important to point out is the confusion out there as to who writes the practice exams included with the Cisco Press books. Boson only provides the engine to run those CDs included with the books – those are not Boson practice exams. Cisco Press provides the content and Boson delivers them through the Boson Exam Environment.

Boson’s in-house written practice exams are called ExSim-Max and aren’t included with any study guides.

Download your own demos and give them a try! NetSim & ExSim Max

Some screenshots from the NetSim and ExSim software..

Notice: I was not paid by Boson to write this post. I was offered an extended demo of their product with an agreement that I’d post my review and opinion of the product.. I just want everyone to know this so there is no funny stories about my post

Cheers!

@LBSources

Multilayer Switching And Fault Tolerance

What Is Multilayer Switching?

• Multilayer switches are devices that switch and route packets in the switch hardware itself.

• These switches can perform packet switching up to ten times as fast as a pure L3 router

• Cisco Catalyst switches perform hardware switching using a router processor or L3 engine

• Routing information is downloaded to the hardware itself

• Hardware-based switching happens using one of the following methods:
  • Cisco Express Forwarding (CEF)
    • Newer method
  • Multilayer Switching (MLS) ß Legacy

• Application-Specific Integrated Circuits (ASICs) will perform the L2 rewriting operation of hardware switched packets.
  • L2 rewriting process changes the source and destination of packets

Route Caching AKA NetFlow switching

• Route caching devices have both a routing processor and a switching engine
  • The routing processor routes a flow’s first packet
  • The switching engine takes over and forwards the rest of the packets in that flow.

• What does a “flow” consist of?
  • A flow is a unidirectional stream of packets from a source to a destination, and packets on the same flow will share the same protocol. That is, if a source is sending both WWW and TFTP packets to the same destination, there are actually two flows of traffic. The MLS cache entries support such unidirectional flows.

Cisco Express Forwarding

• Huge improvement from MLS

• CEF is hardware-based, not software-based

• CEF is on by default on any and all CEF-enabled switches and you cannot turn it off.

• Cisco Express Forwarding (CEF) is a highly popular method of multilayer switching.

• CEF does support per-packet and per-destination load balancing

• A multilayer switch must have IP routing enabled for CEF to run

• Primarily designed for backbone switches, this topology-based switching method requires special hardware,

• Not available on all L3 switches.

• CEF is highly scalable, and is also easier on a switch’s CPU than route caching.

• CEF-enabled devices use the same routing information that a router would

• CEF-enabled switches keep a Forwarding Information Base (FIB) that contains the usual routing information:
  • Destination networks
  • Their subnet masks
  • The next-hop IP addresses

• CEF will use the FIB to make L3 prefix-based decisions.

• The FIB’s contents will mirror that of the IP routing table

• To view the FIB, use the show ip cef command:

SW2#show ip cef
Prefix                              Next Hop             Interface
0.0.0.0/32                      receive
224.0.0.0/4                   drop
224.0.0.0/24                 receive
255.255.255.255/32   receive

• The routing information in the FIB is updated dynamically as change notifications are received from the L3 engine.

• L2 information is kept in the Adjacency Table (AT)

• As adjacent hosts are discovered via ARP, that next-hop L2 information is kept in this table for CEF switching.

• After L2 and L3 next hop addresses are known, the MLS will forward the packet.

• Before it forwards the packet, the MLS will make the following changes:
  • The L2 source address will change to the MAC address on the MLS switch interface that transmits the packet.
  • The L2 destination MAC address will change – that’s going to be changed to the next-hop destination MAC address

• Exception packets are packets that cannot be hardware switched; In this case software switching must be used.

• Packet types that must be software switched:
  • Packets with IP header options
    • Note that packets with TCP header options are still switched in hardware; IP header options must use software switching
  • Packets that will be fragmented before transmission (because they’re exceeding the MTU)
  • 802.3 Ethernet packets

The Control Plane And The Data Plane

• Control Plane
  • The control plane’s job is to first build the ARP and IP routing tables, which makes the FIB and AT creation possible.
  • Also referred to as:
    • CEF control plane
    • Control plane
    • Layer 3 engine or layer 3 forwarding engine

• Data Plane
  • The data plane places data in the L3 switch’s memory while the FIB and AT tables are consulted, and then performs any necessary encapsulation before forwarding the data to the next hop.
  • Also referred to as:
    • Hardware engine
    • ASIC

• According to Cisco, the following are the fastest switching options available today – in order:
  • Distributed CEF (DCEF). The name is the recipe – the CEF workload is distributed over multiple CPUs.
  • CEF
  • Fast Switching
  • Process Switching

Inter-VLAN Routing

• In very simple situations you can use a switch with an internal route processor or Route Switch Module (RSM) to perform inter-VLAN routing without the need of a router.

• Multilayer switches allow us to create a logical interface that represents the VLAN.

Switched Virtual Interfaces (SVIs) & Routed Ports

• A logical interface that represents a VLAN is a Switched Virtual Interface (SVI)

• A L3 switchport can also be used as a routed port.

• An SVI or routed can only be created on a Multilayer Switch

• Tips regarding SVIs:
  • You need to create the VLAN before the SVI, and that VLAN must be active at the time of SVI creation
  • You need to open the SVI with no shut just as you would open a physical interface after configuring an IP address
  • The VLAN and SVI work together, but they’re not the same thing. Creating a VLAN doesn’t create an SVI, and creating an SVI doesn’t create a VLAN.

• The choice of using SVIs and/or routed ports depends on what devices are on the other end of the connection.

• Creating an SVI:

MLS(config)#interface vlan 10
MLS(config-if)#ip address 10.1.1.1 255.255.255.0

• Configuring basic inter-VLAN communication between subnets/hosts on a MLS

SW1(config)#ip routing ß Must be enabled before any L3 features can happen
SW1(config)#int fast 0/1
SW1(config-if)#switchport mode access
SW1(config-if)#switchport access vlan 11
SW1(config-if)#int fast 0/3
SW1(config-if)#switchport mode access
SW1(config-if)#switchport access vlan 33
SW1(config)#int vlan11
SW1(config-if)#ip address 20.1.1.11 255.255.255.0
SW1(config-if)#int vlan33
SW1(config-if)#ip address 30.1.1.11 255.255.255.0

• Give the hosts the SVI address as the gateway

• Configuring an L3 switchport as a routed port

SW1(config)#interface fast 0/5
SW1(config-if)#no switchport
SW1(config-if)#ip address 210.1.1.11 255.255.255.0

Fallback Bridging

• IPX, SNA, LAT and AppleTalk are not supported by CEF
  • SNA and LAT are not supported because they are nonrouteable protocols.

• Fallback Bridging must be used on a CEF enabled switch where these protocols are in use and need to go from one VLAN to another.

• Fallback bridging involves the creation of bridge groups, and the SVIs will have to be added to these bridge groups.

• To create a bridge group:

MLS(config)# bridge-group 1

• To join a SVI to a bridge group:

MLS(config)#interface vlan 10
MLS(config-if)#bridge-group 1

ICMP Router Discovery Protocol (IRDP)

• Defined in RFC 1256

• IRDP is an extension of ICMP

• IRDP Process
  • IRDP routers will generate Router Advertisement packets that will be heard by hosts on that segment.
  • If a host hears from more than one IRDP router, it will choose one as its primary
  • If the primary host goes down, it will start using the other router as it’s gateway

• No virtual router or virtual MAC is involved – hosts transmitting data will be using the real IP and MAC of a physical router.

• To enable IRDP:

MLS(config)# interface serial0
MLS(config-if)# ip irdp

Hot Standby Routing Protocol (HSRP)

• Defined in RFC 2281

• HSRP is Cisco-proprietary

• Routers are put into an HSRP group

• HSRP Process:
  • One of the routers will be selected as the Primary – based on the HSRP priority OR the highest IP address on an HSRP-enabled interface
  • The default priority of an HSRP router is 100 – if this is a tie then the highest IP address on an HSRP-enabled interface will become the primary HSRP router
  • Other routers in group will be on standby
  • If the primary goes down, one of the other routers are ready to take over as the primary

• • Hosts talking to gateways that are in HSRP groups don’t know the actual IP or MAC – they’re communicating with a pseudorouter/virtual router created by the HSRP configuration.
  • The virtual router will have a virtual MAC and IP address – this is what the host(s) sees

• By creating multiple HSRP groups on a single interface, HSRP load balancing can be achieved.

• HSRP Configuration:

R2(config)#interface ethernet0
R2(config-if)#standby 5 ip 172.12.23.10 ß Virtual router

R3(config)#interface ethernet0
R3(config-if)#standby 5 ip 172.12.23.10 ß Virtual router

• For HSRP status and troubleshooting use the “show standby” command

R2#show standby

• The MAC address assigned to the HSRP virtual router is in the following format:
  • 00-00-0c-07-ac-xx
    • The “xx” will be the value of the group in hexadecimal

• HSRP Timers:
  • Hellos every 3 seconds
  • Hold time 10 seconds
    • Timers can be changed, but they should be changed on all HSRP speakers to avoid big problems.

• To change HSRP timers:

R3(config-if)#standby 5 timers ?

<1-254> Hello interval in seconds

msec Specify hello interval in milliseconds

R3(config-if)#standby 5 timers 4 ?

<5-255> Hold time in seconds

R3(config-if)#standby 5 timers 4 12

HSRP Interface Tracking

• This feature enables the HSRP process to monitor an additional interface; the status of this interface will dynamically change the HSRP priority for a specified group. When that interface’s line protocol shows as “down”, the HSRP priority of the router is reduced/decremented. This can lead to another HSRP router on the network becoming the active router – but that other router must be configured with the preempt option.

• Example configuration of interface tracking and the preempt option:

R2(config)#interface ethernet0
R2(config-if)#standby 1 priority 105 preempt
R2(config-if)#standby 1 ip 172.12.23.10
R2(config-if)#standby 1 track serial0

R2(config-if)#standby 1 track serial0 25

• This configuration would result in a priority value decrement of 25 when the tracked interface goes down. Does not change the decrement value for all interfaces – just the one we’re tracking with that particular statement, serial0.

R3(config)#interface ethernet0
R3(config-if)#standby 1 priority 100 preempt
R3(config-if)#standby 1 ip 172.12.23.10

Virtual Router Redundancy Protocol (VRRP)

• Defined in RFC 2338

• VRRP is the open-standard equivalent of the Cisco proprietary HSRP

• VRRP works very much like HSRP, and is suited to a multivendor environment.

• Differences between HSRP and VRRP:

• • VRRP’s equivalent to HSRP’s Active router is the Master router. (Some VRRP documentation refers to this router as the IP Address Owner.) This is the router that has the virtual router’s IP address as a real IP address on the interface it will receive packets on.
  • The physical routers in a VRRP Group combine to form a Virtual Router.
  • VRRP Advertisements are multicast to 224.0.0.18. VRRP’s equivalent to HSRP’s Standby router state is the Backup state.
  • The MAC address of VRRP virtual routers is 00-00-5e-00-01-xx, and you guessed it – the xx is the group number in hexadecimal.
  • “preempt” is a default setting for VRRP routers.
  • As of IOS Version 12.3(2)T, VRRP now has an Object Tracking feature. Similar to HSRP’s Interface Tracking feature, a WAN interface can be tracked and a router’s VRRP priority dropped when that interface goes down.

Gateway Load Balancing Protocol (GLBP)

• HSRP and VRRP allow a form of load sharing, it’s not truly load balancing

• GLBP is Cisco-proprietary

• GLBP routers are placed into a router group

• GLBP allows every router in the group to handle some of the load in a round-robin format, rather than having a primary router handle all of it while the standby router remain idle.

• v   Hosts think they’re sending all of their data to a single gateway, but multiple gateways are in use at one time.

• GLBP also allows standard configuration of the hosts, who will all have their gateway address set to the virtual router’s address

• • Different than how you can use HSRP to load-balance having some hosts use gateway A and some hosts to gateway B

• GLBP process:

• • The key to GLBP is that when a host sends an ARP request for the MAC of the virtual router, one of the physical routers will answer. The host will then have the IP address of the virtual router and the MAC address of a physical router in the group.
  • The Active Virtual Gateway (AVG) will be the router with the highest GLBP priority, and this router will send back ARP responses containing virtual MAC addresses. The virtual MAC addresses are assigned by the AVG as well.
  • Hosts will have the same Layer 3 address for their gateway, but a different L2 address, accomplishing the desired load balancing while allowing standard configuration on the hosts.
  • If the routers all have the same GLBP priority, the router with the highest IP address will become the AVG.
  • The routers receiving and forwarding traffic received on this virtual MAC address are Active Virtual Forwarders (AVFs).
  • If the AVG fails, the router that’s serving as the standby AVG will take over.
  • If any of the AVFs (Active Virtual  Forwarders), another router will handle the load destined for a MAC on the downed router.

• GLBP routers use Hellos to detect whether other routers in their group are available or not.

• GLBP offers three different forms of MAC address assignment

• • Round-robin (default): assignments, a host that sends an ARP request will receive a response containing the next virtual MAC address in line.
  • Host-dependent: Suitable in a situation where hosts need the same MAC gateway address every time it sends and ARP request.
  • Weighter MAC: This method of assignment affects the percentage of traffic that will be sent to a given AVF. The higher the assigned weight, the more often that particular router’s virtual MAC will be sent to a requesting host

• Configuring GLBP:

MLS(config-if)# glbp 5 ip 172.1.1.10

• The following command will assign the address 172.1.1.10 to group 5.

• To change the interface priority, use the glbp priority command:

MLS(config-if)# glbp 5 priority 150

• To allow the local router to preempt the current AVG, use the glbp preempt command:

MLS(config-if)# glbp 5 preempt

Server Load Balancing (SLB)

• HSRP, VRRP, and CLBP all represent multiple physical routers to hosts as a single virtual router, SLB represents multiple physical servers to hosts as a single virtual server.

• Hosts will talk to a Virtual Server which represents the ServFarm which is a collection of physical servers.

• SLB allows quick cutover if one of the physical servers goes down, and also serves to hide the actual IP addresses of the servers in ServFarm.

• SLB Configuration:

• • Creating the server farm:

MLS(config)# ip slb serverfarm ServFarm

• • Creating the virtual server.

MLS(config-slb-sfarm)# real 210.1.1.11

• • Enabling the this server as ready to handle the server farm’s workload

MLS(config-slb-real)# inservice

• Creating the Virtual Server:

MLS(config-slb-vserver)# inservice

• Enable the Virtual Server as ready

MLS(config-slb-vserver)# virtual 210.1.1.14

Wow! Where have I been? In short lets just say I’ve been having a spectacular time at the new employer! So much is going on, I’m learning so much and I’m thrilled at how much I’ve been able to do myself. Its been a little over a month now (started Oct. 4th) and I’ve been involved in some great changes, implementations and planning. I have yet to touch anything other than “the networks”. If you remember I was hired as a hybrid of some sort to span across supporting various technologies supported by my team. I ain’t complaining! My guess is I hit the ground running and applying myself beyond their expectations and they feel I’m best fitted in the exclusive networking role – for now at least. I’m not sure if this is a good or bad thing, but its exactly where I want to be _right now_. There are benefits though to becoming well-rounded with the infrastructure, so I do plan to acquire the knowledge of these areas the moment I get a chance.

So while I’ve been stuffing my brain with new knowledge and adapting to the new environment, I’m still on the hunt for my CCNP! Yep – I had to let up some during September and October, but I’ve been able to (temporarily) restructure studies. My working hours are a bit dynamic and that takes some getting use to for a 9-5 guy like me for the past 5 years. I haven’t been able to execute my normal routine of reading in the AM before getting my day started. So I noticed I was in trouble early on and what I did was took all of my SWITCH CBTs I have and converted them to audio. Because my ride to and from the job is a little over an hour, It makes for perfect CBT audio listening. Though they aren’t exactly podcasts and often refer to a screen, example or diagram; I still find a huge benefit to listening to them. I’m sure I’m not the only loony doing this . The point is not to let what I’ve already learned just go to waste and keeping the material fresh in my head through the audio of the CBT.

During lunch I’m doing some very very short reading.. I mean short! So I snagged a copy of the CCNP SWITCH Cert Kit from @CiscoPress and I have to say they are perfect for a guy in my situation. Now I realize that this is more of a after-read and review or reference, but I think you should do what either works for you or what you can do so long as you don’t just give up. Read my review below.

This kit definitely blends in well with my own notes and other study materials I use as I prepare for my SWITCH exam. The videos are very clear; David Hucaby doesn’t even come close to stuttering or a hiccup at all throughout all the videos which is quite impressive. He obviously took a great deal of time rehearsing to deliver a clear and consistent learning video series. The videos are setup to give you the ability to take notes, draw out the topologies and then see it all in action in the device CLI. This adds a great deal of value to visual learners like me. The topologies are often annotated and highlighted in certain spots while David Hucaby is talking to help explain what he’s covering. Then shortly after he jumps in the CLI and shows you the perspective from the console.

Like I mentioned David Hucaby speaks very clearly and at a very consistent pace so this helped with note taking. It’s very easy to go back and forth during the video to take notes or review something that you would like o hear or see again. David is a bit monotone in his delivery, so if you’re used to a very animated lecturer you might be disappointed. I for one have seemed not to care about the dryness of the presenter.

The quick reference booklet is just that, it’s a great quick reference. It’s not going to replace your foundation learning guides at all so don’t expect any shortcuts! The booklet in my opinion is perfect for an on-the-road or waiting around (in the car, doctor’s office, etc) kind of scenario – you can thumb through it pretty quickly and get a nice refresh on everything SWITCH related.

Overall the kit is excellent and for the price you can’t beat it. But be realistic, it’s not meant to replace any certified or full blown cert guide or book

The DVD also includes a copy of CCNP SWITCH cert flash cards online.

I’ve learned that you can never have too many study resources when preparing for these certifications, and constant reinforcement of the material can only help you along the way.

Cheers!

-LBSources

Chapter 6 notes.. Chris Bryant’s (@ccie12933) BCMSN study guide!

Passwords

• The enable password can be set using “enable password” or “enable secret” commands
  • SW2(config)#enable password yourpassword
  • SW2(config)#enable secret yoursecretpassword
    • The “enable secret” command encrypts the password in the configuration without the “service password-encryption” command.
    • The “enable secret” command supersedes the “enable password” command and this password will be used instead.
• All passwords appear in the configuration in clear text by default except the enable secret.
  • The command service password-encryption will encrypt the remaining passwords.
• When configuring VTY lines be sure to enable “login” and set a password or else they will not be able to log in via telnet, ssh, etc
  • SW2(config)#line con 0
  • SW2(config-line)#login
    % Login disabled on line 0, until ‘password’ is set
  • SW2(config-line)#password lbsser

• Cisco switches have more VTY lines than routers. Routers allow up to five simultaneous Telnet sessions, switches allow more – 0-15 (16) typically

• Any user who telnets in to a switch will be placed into user exec mode, and will then be prompted for the proper enable mode password.
  • If neither the enable secret nor the enable password has been set, the user will not be able to enter enable mode

To place users coming into the switch via telnet straight into enable mode, use the command “privilege level 15” under the VTY lines.

• SW2(config)#line con 0
• SW2(config-line)#privilege level 15

To place some users in user user-exec mode and some into privileged-exec mode create a local user database, set the appropriate privilege levels and set the VTY login to use the “local” database (remove any passwords configured on VTY lines as good habit and housekeeping):

• SW2(config)#username lbsources privilege 15 password CCIE
  • Configures the user for privilege level 15 – will be placed into privilege-exec mode on login
• SW2(config)#username joeshmoe password CCNP
• SW2(config)#username ricosuave password CCNA
  • No privilege level set – will be placed into global configuration mode and be required to enter the enable password to enter privilege-exec mode.
• SW2(config)#line vty 0 15
• SW2(config-line)#login local

Introduction To AAA

You can use RADIUS and TACACS+ to support AAA (Authentication, Authorization, and Accounting) on Cisco routers/switches

• RADIUS (Remote Authentication Dial-In User Service) uses UDP
• TACACS+ Terminal Access Controller Access Control System) uses TCP

Authentication

• To enable AAA:

• • SW2(config)#aaa new-model

• Basics to configure a RADIUS server

• • SW2(config)#radius-server host 172.1.1.1

• Basics to configure TACACS+

• • SW2(config)#tacacs-server host 172.1.1.1

• Configure methods of authentication

• • SW2(config)#aaa authentication login default local group radius <- This command would check the local database first, then the RADIUS server(s)
    • Login = Set lists for authenticating login
    • Default = The default authentication list that will be created with the methods of AAA
    • Local = Use the loca username database for authentication
    • Group = Use the following server group
    • Radius = Use list of RADIUS groups defined

• Apply to VTY lines:

• • SW2(config)#line vty 0 15
  • SW2(config-line)#login authentication default
    • Default = use the default authentication list

Authorization

• RADIUS is limited in the different levels of authorization

• TACACS+ can be configured to force the user to be authenticated for any of the following tasks:

• • SW2(config)#aaa authorization ?
    auth-proxy For Authentication Proxy Services
    commands For exec (shell) commands.
    config-commands For configuration mode commands.
    configuration For downloading configurations from AAA server
    exec For starting an exec (shell).
    network For network services. (PPP, SLIP, ARAP)
    reverse-access For reverse access connections

• Authorization is applied in the same way Authentication was.

Accounting

• Accounting will use a RADIUS or TACACS+ server to track user activity

• The more accounting you do, the more resources it takes from your router/switch.

• Basics to configure accounting:

• • SW2(config)#aaa accounting ?
    commands For exec (shell) commands.
    connection For outbound connections. (telnet, rlogin) exec For starting an exec (shell).
    nested When starting PPP from EXEC, generate NETWORK records before EXEC-STOP record.
    network For network services. (PPP, SLIP, ARAP)
    send Send records to accounting server.
    suppress Do not generate accounting records for a specific type of user.
    system For System events.
    update Enable accounting update records.

• Apply the methods list:

• • SW2(config)#line vty 0 15
  • SW2(config-line)#accounting ?
    arap For Appletalk Remote Access Protocol
    commands For exec (shell) commands
    connection For connection accounting
    exec For starting an exec (shell)

Port Security

• Port security uses a host’s MAC address as a password, and if a device with a different MAC address sends frames to the switch on that port, the port will take action – by default, it will shut down.

• To enable port security:

• • SW2(config)#int fast 0/5
  • SW2(config-if)#switchport port-security
    Command rejected: Fa0/5 is not an access port. <– Port must be made an access port. Ports security can’t be enabled on a port that can possibly form a trunk

• • SW2(config-if)#switchport mode access
  • SW2(config-if)#switchport access vlan 10
  • SW2(config-if)#switchport port-security ?
    aging Port-security aging commands
    mac-address Secure mac address <– Identify the secure MAC address for this port – static option
    maximum Max secure addresses <– the maximum number of secure MAC addresses allowed on the port. This number can vary.  These addresses can be configured statically with the mac-address option, or they can be learned dynamically
    violation Security violation mode
    <cr>

• • SW2(config-if)#switchport port-security violation ?
    protect Security violation protect mode <– Protect mode drops the offending frames
    restrict Security violation restrict mode <– Restrict mode drops the offending frames and will generate both an SNMP trap notification and syslog message regarding the violation.
    shutdown Security violation shutdown mode <- DEFAULT – the port is placed into error-disabled state, an SNMP trap message is generated and manual intervention is needed to reopen the port

• Output from a port running in default “shutdown” mode when the receiving frames from a different MAC address than the one configured:
  05:06:04: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/7, puttingFa0/7 in err-disable state
  05:06:04: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 000f.f773.ed20 on port FastEthernet0/7.
  05:06:05: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/7, changed state to down
  05:06:06: %LINK-3-UPDOWN: Interface FastEthernet0/7, changed state to down

• SW1#show int fast 0/7
  FastEthernet0/7 is down, line protocol is down (err-disabled) <– That port must now manually be reopened

• When you specify the number of secure MAC addresses, and you specify secure MAC addresses – if you allow for more secure MAC address than you actually configure manually the remaining secure MAC address will be dynamically learned. This means a rogue host can connect to the port and it will be allowed to communicate.

• • SW1(config-if)#switchport port-security
  • SW1(config-if)#switchport port-security maximum 3
  • SW1(config-if)#switchport port-security mac-address aaaa.aaaa.aaaa
  • SW1(config-if)#switchport port-security mac-address cccc.cccc.cccc

• To verify your port security configuration, run show port-security interface.

• • SW1#show port-security interface fast 0/2
    Port Security : Enabled
    Port Status : Secure-up
    Violation Mode : Shutdown
    Aging Time : 0 mins
    Aging Type : Absolute
    SecureStatic Address Aging : Disabled
    Maximum MAC Addresses : 3
    Total MAC Addresses : 2
    Configured MAC Addresses : 2
    Sticky MAC Addresses : 0
    Last Source Address:Vlan : 0000.0000.0000:0
    Security Violation Count : 0

• Port security cannot be configured on the following types of ports:

• • trunk ports
  • ports placed in an Etherchannel
  • destination SPAN port
  • 802.1x ports

Dot1x Port-Based Authentication

• Based on the IEEE 802.1x standard

• The Cisco authentication server must be RADIUS, TACACS+ is not supported.

• Major difference between dot1x port-based security and port security:

• • With Dot1x port based authentication, host(s) and switch ports must be configured for 802.1x EAPOL (Extensible Authentication Protocol over LANs).

• Until the user is authenticated, only the following protocols can travel through the port:

• • EAPOL
  • STP
  • CDP
    • By default, once the user authenticates, all traffic can be received and transmitted through this port.

• To configure dot1x, AAA must be enabled and a method list must be created.

• • SW2(config)#aaa new-model
  • SW2(config)#aaa authentication dot1x ?
    WORD Named authentication list.
    default The default authentication list.

• • SW2(config)#aaa authentication dot1x default ?
  • SW2(config)# aaa authentication dot1x default group radius local

• To enable dot1x on the switch:

• • SW2(config)#dot1x ?
    system-auth-control Enable or Disable SysAuthControl

• Dot1x must be configured globally, but every switch port that’s going to run dot1x authentication must be configured as well.

• • SW2(config-if)#dot1x port-control ?
    auto PortState will be set to AUTO
    force-authorized PortState set to Authorized
    force-unauthorized PortState will be set to UnAuthorized

• Force-authorized – forces the port to authorize any host attempting to use the port, but authentication is not required. Basically, there is no authentication on this port type.

• Force-unauthorized – literally has the port unable to authorize any client – even clients who could otherwise successfully authenticate

• The auto setting enables dot1x on the port, which will begin the process as unauthorized. Only the necessary EAPOL frames will be sent and received while the ports unauthorized. Once the authentication is complete, normal transmission and receiving can begin. This is the most common setting.

SPAN Basics

• SPAN allows the switch to mirror the traffic from the source port(s) to the destination port to which the network analyzer is attached. (In some Cisco documentation, the destination port is referred to as the monitor port.)

• The number of simultaneous sessions you can run differs from one switch platform to another

• There are several versions of SPAN, the differences depend on source ports – its’ the location of the source ports that determines the SPAN version

• • Local SPAN – Destination and source ports are all on same switch
  • VLAN-based SPAN – Source is a VLAN rather than a collection of physical ports.

Local SPAN

• To enable SPAN:

• • SW2(config)#monitor session 1 source interface fast 0/1 – 5 <– Configure source ports/VLANs
  • SW2(config)#monitor session 1 destination interface fast 0/10 <– Configure destination port

• Verify the SPAN configuration with show monitor

• SW2#show monitor
  Remote SPAN

• When traffic to be monitored is on one switch, but the only vacant port available is on another switch or there is a switch in between the switch you wish to monitor, you must use Remote SPAN (RSPAN)

• All switches along the path to the destination port will need to be configured for RSPAN

• Considers when configuring RSPAN:

• • If there are intermediate switches between the source and destination switches, they would all need to be RSPAN-capable.
  • VTP treats the RSPAN VLAN like any other VLAN. It will be propagated throughout the VTP domain if configured on a VTP server. Otherwise, it’s got to be manually configured on every switch along the intermediate path. VTP Pruning will also prune the RSPAN VLAN under the same circumstances that it would prune a “normal” VLAN.
  • MAC address learning is disabled for the RSPAN VLAN.
  • The source and destination must be defined on both the switch with the source port and the switch connected to the network analyzer, but the commands are not the same on each.

Configuring RSPAN

• Create the VLAN first, and identify it as the RSPAN VLAN with the remote-span command.

• • SW2(config)#vlan 30
  • SW2(config-vlan)#remote-span

• SW2 is the source switch, and the traffic from ports 0/1 – 0/5 will be monitored and frames mirrored to SW1 via RSPAN VLAN 30.

• • SW2(config)#monitor session 1 source interface fast 0/1 – 5  <– Define source ports on source switch
  • SW2(config)#monitor session 1 destination remote ?
    vlan Remote SPAN destination RSPAN VLAN

• SW2(config)#monitor session 1 destination remote vlan 30 ?
  reflector-port Remote SPAN reflector port

• SW2(config)#monitor session 1 destination remote vlan 30 reflector-port fast 0/12 <– Define the port that will be copying SPAN traffic onto VLAN 30

• SW1(config)#monitor session 1 source remote vlan 30 <– Define the RSPAN VLAN.
• SW1(config)#monitor session 1 destination interface fast 0/10 <– SW1 will receive the mirrored traffic and will send it to a network analyzer on port 0/10.

• Run show monitor to verify the configuration.

• • SW1#show monitor

SPAN Limitations

• Source port notes:
  • A source port can be monitored in multiple, simultaneous SPAN sessions.
  • A source port can be part of an Etherchannel.
  • A source port cannot be configured as a destination port.
  • A source port can be any port type – Ethernet, FastEthernet, etc.

• Destination port notes:
  • A destination port can be any port type.
  • A destination port can participate in only one SPAN session.
  • A destination port cannot be a source port.
  • A destination port cannot be part of an Etherchannel.
  • A destination port doesn’t participate in STP, CDP, VTP, PaGP, LACP, or DTP.

• Trunk ports can be configured as source and/or destination SPAN ports; the default behavior will result in the monitoring of all active VLANs on the trunk.

• ESPAN – Enhanced SPAN. This term has been used to describe different additions that the term has lost meaning. It doesn’t refer to any specific addition or change to SPAN.

VLAN Access Control Lists

• An ACL can filter traffic traveling between VLANs, but cannot prevent hosts in a VLAN from communicating from another host in the same VLAN.

• ACLs on switches:
  • Multilayer switchs can use an ACL to filter traffic for hosts on different VLANS
  • Multilayer switchs must use a  VACL to filter traffic for hosts on the same VLAN

• An ACL must be written in combination with a VACL. The ACL will be used to as the match criterion within the VACL.
  • SW2(config)#ip access-list extended NO_123_CONTACT
  • SW2(config-ext-nacl)#permit ip 171.10.10.0 0.0.0.3 172.10.10.0 0.0.0.255

• VLAN access-map – any traffic matching the ACL to be dropped and all other traffic to be forwarded.
  • SW2(config)# vlan access-map NO_123 10
  • SW2(config-access-map)# match ip address NO_123_CONTACT
  • SW2(config-access-map)# action drop
  • SW2(config-access-map)# vlan access-map NO_123 20
  • SW2(config-access-map)# action forward
    • You must add the final “action forward” statement in order to pass unmatched traffic. Same theory holds when writing a VLAN access-map as with a route-map. Any traffic that doesn’t match the specific clause in the ACL will be dropped.

• Apply the VACL
  • SW2(config)# vlan filter NO_123 vlan-list 100

• VACL notes:
  • Bridged traffic, as well as non-IP and non-IPX traffic, should be filtered with VACLs
  • VACLs run from top to bottom, and run until a match occurs
  • VACLs have an implicit deny at the end. The VACL equivalent of “permit all” is an “action forward” clause with no match criterion, as shown in the previous example. If traffic is not expressly forwarded, it’s implicitly dropped!
  • Only one VACL can be applied to a VLAN
  • The sequence numbers allow you to go back and add lines without rewriting the entire VACL. They are still active while being edited.
  • A routing ACL can be applied to a SVI to filter inbound and/or outbound traffic just as you would apply one to a physical interface, but VACLs are not applied in that way – they’re applied in global configuration mode.
  • On L3 switches, if there’s a VACL configured, and a “normal” ACL affecting incoming traffic that is applied to a routed port that belongs to that same VLAN. Packets entering that VLAN will be matched against the VACL first; if the traffic is allowed to proceed, it will then be matched against the inbound ACL on that port.

Dot1q Tunneling

• Dot1q tunneling allows a service provider to transport frames from different customers over the same tunnel – even if they’re using the same VLAN numbers. This technique also keeps customer VLAN traffic segregated from the service provider’s own VLAN traffic.

• Dot1q tunneling configuration takes place on the service provider sending and receiving data to customer switches:
  • MLS_1(config)#int fast 0/12
  • MLS_1(config-if)#switchport access vlan 100
    • The VLAN number that the customer is using.
  • MLS_1(config-if)#switchport mode dot1qtunnel
  • MLS_1(config-if)#vlan dot1q tag native

• STP, VTP and CDP (service provider accepts CDP, but doesn’t send them through the tunnel) frames will not be transmitted over the dot1q tunnel (this gives the customer only a partial and inaccurate picture of this network). To transmit such frames, a Layer 2 Protocol Tunnel must be built on the service provider edge switches.

Ethernet over MultiProtocol Label Switching

• Another approach to solve the requirements of STP, VTP and CDP packets to be received and sent over the service providers network to far-end switches.

• Service providers must have an MPLS core to support this option.

• With EoMPLS, the service provider cloud consists of two router types.
  • Edge Label Switch Routers (ELSR)
  • Label Switch Routers (LSR)

• The Edge Label Switch Routers (ELSR) are found at the edge of the cloud, and these routers place a MPLS tag, or label, onto incoming traffic that meets predefined criteria. Inside the cloud, Label Switch Routers (LSR) will route the traffic looking only at the MPLS label. Once the remote ELSR receives the packet, the MPLS label is removed and the data can be forwarded normally. The original VLAN value is kept intact.

Transparent LAN Service

• Another approach to solve the requirements of STP, VTP and CDP packets to be received and sent over the service providers network to far-end switches.

• Transparent LAN Service is basically a LAN interconnection technology that hides the connecting WAN from the end users

• One drawback to TLS is that broadcasts will be treated as a broadcast on any VLAN – they’ll be sent to every host in the VLAN

Private VLANs

• Hosts placed into secondary VLANs may have one of the following configurations:
  • The host will be able to communicate with other hosts in the secondary VLAN and with the primary VLAN, but not with hosts in other secondary VLANs – this is a community private VLAN
  • The host can communicate with the primary VLAN, but with no other hosts, including other hosts in its own secondary VLAN — this is an isolated private VLAN

• As an example, a router located off a switch port that has been configured as a private VLAN port – The following are options:

• Promiscuous mode: The device connected to the private VLAN port can communicate with any device connected to any primary or secondary VLAN – This is the recommended mode for ports connected to gateway devices, such as the router
• The host connected to the port is on either type of private VLAN (isolated or community), and can communicate with devices found off other promiscuous ports. If the host is configured as part of a community private VLAN, the host can also communicate with other hosts in that private VLAN.

• Configuring Private VLANs
  • MLS(config-vlan)#private-vlan ?
    association Configure association between private VLANs
    community Configure the VLAN as a community private VLAN
    isolated Configure the VLAN as an isolated private VLAN
    primary Configure the VLAN as a primary private VLAN
    twoway-community Configure the VLAN as a two way community private VLAN

• • MLS(config-vlan)#private-vlan community

Private VLANs can only be configured when VTP is in transparent mode

• • MLS(config-vlan)#exit
  • MLS(config)#vtp mode transparent

Setting device to VTP TRANSPARENT mode.

• Now the primary VLAN must be configured as the “associate” of the private VLAN.
  • MLS(config)#vlan 20
  • MLS(config-vlan)#private-vlan community
  • MLS(config-vlan)#private-vlan association ?
    WORD VLAN IDs of the private VLANs to be configured
    add Add a VLAN to private VLAN list
    remove Remove a VLAN from private VLAN list

• • MLS(config-vlan)#private-vlan association 30

• Now place the ports into the private VLAN:
  • MLS(config)#interface f0/4
  • MLS(config-if)# switchport mode private-vlan 20 host
    • If this were the port connected to a router, we’d need the promiscuous option configured instead of host.

DHCP Snooping

• DHCP Snooping allows the switch to serve as a firewall between hosts and untrusted DHCP servers. DHCP Snooping classifies interfaces on the switch into one of two categories – trusted and untrusted.

• DHCP messages received on trusted interfaces will be allowed to pass through the switch.

• DHCP messages received on untrusted interfaces be dropped by the switch, the interface itself will be placed into err-disabled state.

• When DHCP Snooping is enabled, all ports are considered untrusted

• Enable DHCP Snooping on the entire switch:
  • SW1(config)#ip dhcp snooping

• Identify the VLANs that will be using DHCP Snooping.
  • SW1(config)#ip dhcp snooping ?
    database DHCP snooping database agent
    information DHCP Snooping information
    verify DHCP snooping verify
    vlan DHCP Snooping vlan
    <cr>

• • SW1(config)#ip dhcp snooping vlan ?
    WORD DHCP Snooping vlan fist number or vlan range, example: 1,3-5,7,9-11

• • SW1(config)#ip dhcp snooping vlan 4

• Assuming we have a trusted DHCP server off port 0/10, we would then trust that port with the following command:
  • SW1(config-if)#ip dhcp snooping trust

• DHCP Snooping is verified with the show ip dhcp snooping command.
  • SW1#show ip dhcp snooping

Dynamic ARP Inspection

• ARP Cache Poisoning / ARP Spoofing: A rogue host responds to an ARP request intended for another hose with its own MAC address. The rogue host will acquire the true MAC address of the intended host and possibly relay (after reading) packets from the originating host to the intended host – through itself – creating a man in the middle scenario

• Cisco’s recommended trusted/untrusted port configuration is to have all ports connected to hosts run as untrusted and all ports connected to switches as trusted.

• Since DAI runs only on ingress ports, this configuration scheme ensures that every ARP packet is checked once, but no more than that.

• There is no problem with running DAI on trunk ports or ports bundled into an Etherchannel.

• Enabling Dynamic ARP Inspection (DAI) prevents this behavior by building a database of trusted MAC-IP address mappings – using the same database that is built by the DHCP Snooping process.

• DAI uses the concept of trusted and untrusted ports, just as DHCP Snooping does. However, untrusted ports in DAI do not automatically drop ARP Requests and Replies.

• Once the IP-MAC address database is built, every single ARP Request and ARP Reply received on an untrusted interface is examined.
  • If the ARP message has an approved MAC-IP address mapping, the message is forwarded appropriately; if not, the ARP message is dropped.
  • If the interface has been configured as trusted, DAI allows the ARP message to pass through without checking the database of trusted mappings.

• DAI is performed as ARP messages are received, not transmitted.

• Since DAI uses entries in the DHCP Snooping database to do its job, DHCP Snooping must be enabled before beginning to configure DAI.

• Configuring Dynamic Arp Inspection:
  • SW1(config)#ip arp inspection ?
    filter Specify ARP acl to be applied
    log-buffer Log Buffer Configuration
    validate Validate addresses
    vlan Enable/Disable ARP Inspection on vlans

• • SW1(config)#ip arp inspection vlan ?
    WORD vlan range, example: 1,3-5,7,9-11

• • SW1(config)#ip arp inspection vlan 4
  • SW1(config)#int fast 0/4
  • SW1(config-if)#ip arp inspection trust

• DAI “validate” options:
  • SW1(config)#ip arp inspection validate ?
    dst-mac Validate destination MAC address <– compares the source MAC address in the Ethernet header and the MAC address of the source of the ARP message.

    ip Validate IP addresses  <– compares the IP address of the sender of the ARP Request against the destination address of the ARP Reply.

    src-mac Validate source MAC address ß compares the destination MAC address in the Ethernet header

• To verify DAI configuration:
  • SW1#show ip arp inspection

IP Source Guard

• Use IP Source Guard to prevent a host on the network from using another host’s IP address.

• IP Source Guard works in tandem with DHCP Snooping, and uses the DHCP Snooping database to carry out this operation.

• As with DAI, DHCP Snooping must be enabled before enabling IP Source Guard.

• How IP Source Guard works:
  • When the host first comes online and connects to an untrusted port on the switch, the only traffic that can reach that host are DHCP packets.
  • When the client successfully acquires an IP address from the DHCP Server, the switch makes a note of this IP address assignment.
  • The switch will then dynamically create an ACL that will only allow traffic with the corresponding source IP address to be processed by the switch.
  • If the host pretends to be another host on that subnet, or to spoof that host’s IP address — the switch will simply filter that traffic because the source IP address will not match the database’s entry for that port.

MAC Address Flooding

• A MAC Address Flooding attack is an attempt by a network intruder to overwhelm the switch memory reserved for maintenance of the MAC address table. The intruder generates a large number of frames with different source MAC addresses – all of them invalid. As the switch’s MAC address table capabilities are exhausted, valid entries cannot be made – and this results in those valid frames being broadcast instead of unicast.

• This has three side effects:
  • As mentioned, the MAC address table fills to capacity, preventing legitimate entries from being made.
  • The large number of unnecessary broadcasts quickly consumes bandwidth as well as overall switch resources
  • The intruder can easily intercept packets with a packet sniffer, since the unnecessarily broadcasted packets will be sent out every port on the switch – including the port the intruder is using.
  • When the switch on the other side of the trunk gets that frame, it sees the tag for VLAN 100 and forwards the frame to ports in that VLAN. The rogue now has successfully fooled the switches and has hopped from one VLAN to another.

• MAC address flooding can be combated using 2 features:
  • Port-based authentication
  • Port-security

VLAN Hopping

• One method of VLAN hopping is where double tagging takes place. The intruder will transmit frames that are double tagged with two separate VLAN IDs. Changing the native VLAN and having no hosts on this VLAN usually resolves this issue with this version.
  • When the rogue host transmits a frame, that frame will have two tags. One will indicate native VLAN membership, and the second will be the number of the VLAN under attack.
  • The trunk receiving this double-tagged frame will see the tag for the native VLAN, that tag will be removed and then transmitted across the trunk – but the tag VLAN under attack is still there!
  • When the switch on the other side of the trunk gets that frame, it sees the tag for the VLAN under attack and forwards the frame to ports in that VLAN.
  • The rogue now has successfully fooled the switches and has hopped from one VLAN to another.

• Circumstances for double tagging attacks to be successful:
  • The intruder’s host device must be attached to an access port.
  • The VLAN used by that access port must be the native VLAN.
  • Dot1q must be the trunking protocol in use, since ISL doesn’t use the native VLAN.

• Switch Spoofing – Allows the rogue to pretend to be a member of *all* VLANs in your network.
  • A switch in default dynamic desirable mode sends out DTP frames in an aggressive effort to form a trunk
  • When a port is left at this default and placed into “auto” mode, a trunk will still form, though it’s not actively trying to do so.
  • The rogue host will pretend to be a switch and send DTP frames back to the switch and this will lead to a trunk.
  • Once the trunk is formed, the rogue now has access to  all VLANs known to that switch and the network

• To prevent Switch Spoofing and as best practice turn ports into access ports – this disables the port’s ability to create a trunk.

Any corrections or additions are greatly appreciated! You can download a copy of these notes by clicking the “Printer Friendly” below.

Cheers!

@LBSources