Pages

Sunday, December 16, 2012

CCNP Switch !!

CAT  OS or native IOS.
VLAN: fabric of every enterprise network.
For cisco its trunk (magic port) for other vendor its tagged port
Every vlan has its own subnets.
We should not have vlan in the core basically those should be implemented in distribution layer.
-Local vlans do not extend beyond the distribution layer
-Local vlan traffic routed to other destination
-should be created around physical boundaries.

Vlan is stored in flash
Erase the vlan with delete command

Trunking :
Process of connecting switches together and allowing multi-vlan information to between switches.
Places vlan information into each frame
Layer 2 feature.

Two tagging flavors:
-ISL
Cisco proprietary
Encapsulates the entire frame
Being phased out

802.1 Q
-open standard /industry standard
-insert tag into frame rather than encapsulating

ISL
26byte header [junk+vlan tag (2 byte)+junk]+ Ethernet frame + 4byte CRC

802.1Q
DMAC + SMAC + 4 byte tag [3 bit pri(cos) +vlan(2byte)]+ Ethernet frame + fcs

What is the deal with native vlan?
This concept is for 802.1Q. trunk link as definition says will pass all tagged vlan info along with that it passes all untagged frame which are assigned to native vlan in trunk port.
This native vlan concept is used in voip phone connected to computer.

Negotiating Trunking.
-Switches can auto-negotiate trunk  connections using the dynamic trunking protocol (DTP)
Five different modes.
-access = always access. only one vlan
-trunk = always be the trunk . send DTP .
-dynamic auto = if both side set auto . this won’t become trunk. One side auto and other side auto ..it will be trunk.
-dynamic desirable(default) = will negotiate with other side . This will create security violence if cisco switch is connected to outside world. This will always be trunk
-non-negotiate = won’t send DTP . highly desirable  since dtp packets can be spoofed.
We can send only certain vlan through trunk also manually by “switchport trunk allowed vlan ids”
To verify the config.
Show int f0/0 switchport
Show int f0/0 trunk

VTP : vlan replication protocol
Ease your daily administrating issue
Good : replicates vlan
Bad: if any new switch with greater revision no is added in vlan ..then all other switches flushes their database and update it database with new switch vlan config ..security issue.
Then once again u need to manually re-create those vlan to get original database.

VTP modes :
Server (default)
-power to change vlan information
-sends and receives vtp updates
-saves vlan configuration

Client
-cannot change vlan information
-send and receives vtp updates
-does not save vlan configuration

Transparent
-power to change vlan information
-forwards (passes through) vtp updates – vtp2
-does not listen to vtp advertisements
-saves vlan configuration

VTP pruning:
-keeps unnecessary broadcast traffic from crossing trunk links
-only works on vtp servers

Show vtp status
By default it is vtp v1

Common vlan problems:
Native vlan mismatch
Trunk negotiation issues
-auto-to-auto does not become trunk
-if possible , avoid dtp (trunk negotiate)
Vtp updates not applying
-verify vtp domain/password
-verify vtp version
-verify trunk links
-delete falsh:vlan.dat and reboot

STP:
Switches forward broadcast packets out all ports by design
Redundant connections are necessary in business networks
Drop tress on redundant links(until they are needed)
Facts about stp:
-          Original stp(802.1d) was created to prevent loops
-          Switches send “probes” into the network called BPDUS to discover loops
-          The BPDU probes also help elect the core switch of the network called root bridge.
-          All switches find the best way to reach the root bridge then block all redundant links.
BPDUs are sent once every two seconds. (pri(4 bits) + mac)
Priority is some value between 0 and 61440 (default is 32768); increments of 4096 – lower is better
Three port types:
Root ports : used to reach a bridge bridge
Designated ports : forwarding port, one per link
Blocking / Non-designated port : where the tree fell
Switches find lowest cost path root
10mbps –100
100 mbps -19
1 Gbps – 4
How dtp find the best paths:
-          Use lower bridge id on equal cost paths
-          Use lower port to break a tie

RSTP:
Why we need this :
Stp was created long time ago. Downtime was not a big deal at that time
Listening: 15 seconds of listening for BPDU, switch sends/receives BPDUs
Learning: 15 sec for learning mac address, populates switch CAM table
Forwarding: port is forwarding traffic
Blocking: Switch will wait up to 20 sec (max age) before moving a blocked port into listening phase.

If primary link fails it will wait for some 1- 20sec to make other link up .so total time will be around 50 sec before link will be in forwarding state.

Solution:
Portfast: should only be enabled on ports connected to single host.

Problems with uplink ports: 50 seconds of down time causes big problems. We can’t enable portfast in uplink ports.

Solution : RSTP
802.1w
Proactive system
Redefined port roles
Many stp similarities

Port states :
Discarding : blocking sate
Learning : exactly as stp learning
Forwarding : as before

Port Roles
Root port :
Designated ports:
Alternate ports: blocking in stp
Edge ports: we call portfast before in stp .still command is same as stp. it is p-2-plink . eliminates pc booting.

Edge Ports :
The edge port concept is already well known to cisco spanning tree users, as it basically corresponds to the portfast feature. All ports directly connected to end stations cannot create bridging loops in the network. Therefore, the edge port directly transitions to the forwarding state, and skips the listening and learning state. Neither edge ports or Portfast enabled ports generate topology changes when the link toggles. Unlike Portfast, the edge port that receives a BPDU immediately loses edge port status and becomes a normal spanning-tree port. At this point there is a user –configured value and an operational value for the edge port state. The cisco Implementation maintains that the Portfast keyword be used for edge port configuration. This makes the transition too RSTP simpler.

Why rstp is better?
-          Because it doesn’t forget ports
-          Because of the proactive nature , many “safety timers” of stp are eliminated
-          Any change to trunk ports flood through the network to other switches (TC packets)
-          Because the name says “RAPID”

Configurating rstp
Spanning-tree mode rapid-pvst  == to support other vendors too

Etherchanel: aggregating redundant links
Two negotiation protocol (PAGP)
-cisco proprietary
-port modes: auto, desirable, on

Link Aggregation control protocol (LACP)
-Industry standard (802.3AD)
-port modes: passive, active, on

Configuring ether chaneel
Layer 2 EtherChannel
Layer 3 EtherChannel

Show ether channel detail
Show ip int br | i port

Best practices:
-All ports must use same speed and duplex (hard code)
-Interfaces in a bundle are redundant
-No interfaces in bundle can be span ports
-Interfaces in bundle must be in same VLAN/TRUNK
-Any changes to port-channel affects all bundles ports
-Any changes to individual ports affect only that ports

L3 Switching:
The Famous “router on a stick”
Advantages of using multi-layer switching

Need of routing between vlans:
Soln: router on a stick

Advantage: simple and lower cost
Dis: congestion on a link, single point of failure, delay of routing.

Config router on a stick :
-          In switch configure a trunk
-          In router create sub-interfaces

Soln 2:
Multilayer switch
Ad:
-          Routing at wire speed
-          Backplane bandwidth
-          Redundancy enabled
 Dis: cost

Setup:
-          Create SVIs
-          (opt) created routed ports
-          (opt) enable routing protocols

In switch enable ip routing int router it is enabled by default

L3 switch is a switch with router inside.
Multilayer switch is a switch that has ability to cache routing information.

Every L3 switch is a multilayer switch but every multilayer switch is not a L3 switch.

To enable router port in switch do “no switchport”

Understanding CEF Optimization:
Layer 3 Routing Vs Layer3 Switching:
-          Router and L3 switch both have IOS software routing
-          Software Routing is relatively slow compared to asics
-          Ls switches can play a little software – hardware trick
L3 Switch has two layer  (Ios software and hardware)
Ios Software –----L3 Engine ------
------------------------------ CEF-------------- (moving L3 routing table to cache in FIB)
Asic hardware –--- FIB and Adj Table -----------------
Exceptions to CEF :
-Packet with ip header options
-packet with TTL expired
-packet destined to a tunnel interface
-packet with unsupported encapsulations
-packets requiring fragmentation (mtu exceeded)

Redundancy:
HSRP, VRRP, and GLBP
-          Redundancy is good
-          What is difference between in these protocols
-          Configuring and tuning  HSRP
Redundancy considerations:
-how fast can this happen?
-How does the client know?
What about ARP cache issues?
-What if just the WAN link fails?

HSRP vs. VRRP vs. GLBP
1.       Cisco hot-standby protocol (HSRP)
-          Created by Cisco , for cisco in 1994
-          Uses a default hello timer of 3 sec with a hold timer of 10 sec
2.       Virtual Router redundancy protocol (VRRp)
-created by the ietf in 1999
- works between multiple vendors
-Has faster timers than HSRP by default – hello of 1 sec , hold timer of 3 sec

3.       Gateway Load Balancing Protocol (GLBP)
-          Created  by cisco, for cisco 2005
-          Identical features to HSRP , but allows an active-active connection that adds load-balancing.
Focus on HSRP: in L3 switches
-          Allows gateways organized into standby groups
-          One gateway active , others in standby state.
-          Phantom (virtual) router ip and mac address generated.
-          Hello messages sent once every 3 sec; dead after 10 sec
-          Client won’t be aware abt change in redundancy since gateway will be same.
Virtual mac address:
Generated by created standby group:
0000.0c(cisco vendor id).07AC (HSRP ID):XX(Standby group number)
HSRP Base configuration:
-Create standby group
- reassign ip address
-verify
-optimize and tune
S(config)# int vlan 70 == router interface in vlan 70
Standby 1(grp no) ip 172.30.70.1
Standby 1 priority 150
Tuning and Optimizing HSRP:
-preempt
-priority
-tracking
-timers

VRRP terminology SHIFT
1.       Active /Standy becomes master/backup
2.       Standby group becomes VRRP group
3.       Master router can share virtual ip
4.       One second hello timer, three times hello = down time (+ skew timer)
VRRP Configuration:
1.       Configure vrrp group
2.       Optimize setting
3.       Verify
Whats different in GLBP?
-Single VIP with multiple MACS
-Active virtual gateway (AVG) Acts as the “point man”
- other routers act as active virtual forwarders (AVF)
WIRELESS LAN:
1.       A wireless access point (WAP) communicates linke a HUB
-shared signal
-Half duplex

2.       Uses unlicensed bands of radio frequency (RF)
3.       Wireless is a physical and data link standard
4.       Uses CSMA/CA instead of CSMA/CD
5.       Faces connectivity issues because of interface.
Unserstanding SSID
1.       The service set indentifier uniquely identifies and separates wireless networks
2.       When a wireless client is enabled
-client issues a probe
- client points respond with a  beacon
-client associates with chosen SSID
- access point adds client MAC to association table

Correct design of a WLAN
-          Rf service areas should have 10-15% overlap
-          Repeaters should have 50% overlap
-          Bordering access points should use different channels

CLIENT Roaming:
1.       As more mobile devices
2.       True roaming allows seamless movement between access points
3.       Not a feature  access points can support
4.       Provides solid coverage and better battery life.
5.       Can be costly.
Layer 2 Roaming:
Req: same SSID, same VLAN, same subnet
Layer 3 Roaming (mobile IP)
Req : same SSID
How a client Roams:
-          Beacons are missed
-          Data reaches maximum retry count
-          Data rate shifts down
-          Periodic intervals
Wireless VLAN Support:
Multiple VLANs provide support for :
-          Multiple security levels
-          Multiple subnets
-          Multiple access privileges.
Frequencies, 802.11, AND Security Standards:
Unlicensed frequencies:
900-MHZ : 902-928
2.4-GHZ range: 2.4-2.483
5 GhZ range : 5.150 to 5.350
Understanding RF:
1.       RF waves are absorbed (passing through walls) or reflected (by metal)
2.       Higher data rates have shorter ranges
3.       Higher frequencies of RF have higher data rates
4.       Higher frequencies of RF have shorter ranges

The 802.11 LINEUP :
 802.11 B
- official as of September 1999
-up to 11 MBPS (1, 2, 5.5, 11 data rates)
- most popular standard
- three “clean” channels (same as G)

802.11 G
- official as of June 2003
- backwards compatible with 802.11B
-upto 54 MBPS (12 data rates)
- Three ‘clean” channels (1 ,6 and 11 these channels don’t overlap with each others)

802.11 A
- official as of sep 1999
- upto 54MBPS
- not cross- compatible with B or G
- 12 to 23 “clean” channels

 Wireless security evolution:
-1997 : wired equivalent privacy (WEP)
-2001 : 802.1X EAP
-2003 : WI-FI protected access(WPA) == TKIP
-2004 : IEEE 802.11I (WPA2) == run AES or TKIP

Understanding The hardware:
Undersatnding The AP categories.
1.       Autonomous APs
-          Stand alone system
-          Cisco IOS-Based
-          Can be centrally controlled using wireless domain services (WDS)
-          Managed using ciscoworks WLA solution engine (WLSE)

2.       LEIGHTWEIGHT APS
-          Server-dependent system
-          Zero-configuration access points
-          Can be centrally controlled using wireless LAN Controller
-          Managed using cisco wireless control system(WCS) – OPT
Leightweight access point protocol (LWAPP) used between controller and WAPS
Controller has all the intelligence for communication
Access point acts as “DUMB TERMINAL” that processes packets.
Referred to as a “SPLIT MAC” design

VOIP:
Why?
-          Moves , adds, and changes (macs)
-          Bandwidth and equipment efficiency
-          Lower cost of voice transmission
-          New applications and devices

Switch ------------voip(vlan 100)---------------computer (vlan 200)
Understanding and configuring QOS:
1.       Two Qos markings:
-          Class of service (COS) : layer 2
-          Diff Services (earlier TOS) : Layer 3
Header –COS(3 bits provide 8 levels of making) –DiffServ(3-6 bits provide many levels of marking)---Other packet stuff
3bits (TOS  known as IP precedence ) è 6 bits (DSCP) => actual 8 bits but 2 bits are reserved.
CAMPUS SECURITY:
Basic port security and 802.1X
Common L2 attacks:
Port security on catalyst switches ;
1.       Can use secure mac-address
-          Dynamic
-          Static
-          Static
2.       Limits the no of mac address per port
VLAN and Spoofing Attacks:
1.       Preventing  VLAN hopping attacks.
-Valn hopping: hackers negotiates a trunk connection with a switch, moves between vlans
-simple, yet easily forgotten prevention

2.       Private VLANS (vlan within vlan)
Port Types :
-promiscuous (usually a default gateway)
-isolated
-community

STP Attacks and Other security considerations:
1.Stp protocols attacks
-Port having portfast should be configured with bpduguard too.
-root guard : protects what port valid roots are detected on. Only set on root bridge or backup root bridge. That means any switch that connect to rootguard port never become root

Best practices :
-disable cdp wherever possible
-lock down STP
-disable trunk negotiation on access ports
-physical security is key
-place unused ports in a black-hole vlan
-use SSh when possible.








































               












Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)