Thursday, 26 July 2018

CCNP switching

Switching Review

Remember your subnet masks, review subletting if needed.
/24        255.255.255.0
/25        255.255.255.128
/26        255.255.255.192
/27        255.255.255.224
/28        255.255.255.240
/29        255.255.255.248
/30        255.255.255.252
/31        255.255.255.254


Converting to hexadecimal
You might have to convert a hsrp group number so you can identify the mac address. It shouldn't be a big number.

hex = 6 decimal = 10 hexadecimal is base 16
0 A = 10
1 B = 11
2 C = 12
3 D = 13
4 E = 14
5 F= 15
6
7
8
9

We take our decimal number and divide by 16 until we can't anymore. We divide the remainder one last time for the last character.

17 divided by 16 goes in 1 time with remainder 1 
1 divided by 16 goes in 0 times with remainder 1 

17 in hex is 0x11


18 divided by 16 goes in 1 time with remainder 2 
2 divided by 16 goes in 0 times with remainder 2 
18 in hex is 0x12

Standards
802.1d Spanning Tree Protocol (STP)
802.1w Rapid Spanning Tree Protocol (RSTP) 
802.1q Dot1q VLAN trunking
802.1p Quality of service (QoS) part of 802.1q
802.1s Multiple spanning tree (MST)
802.1ad QinQ allows second vlan tag to be added to a single tagged frame


L2/L3
L2 switching is based on destination MAC addresses
L3 switching looks at IP address ports etc

Don't forget OSI model
7 Application---------Away----------All
6 Presentation-------Pizza----------People
5 Session---------------Sausage-----Seem
4 Transport-----------Throw---------To
3 Network-------------Not-------------Need
2 Data link------------Do---------------Data
1 Physical--------------Please---------Processing
What a switch does when it gets a packet
Forward (send it out an interface)
Flood (copy the packet and send it out 2 or more interfaces, flood a vlan etc)
Discard (can't deal with this right now, don't know how to deal with this packet drop it)

Inter-vlan routing 
Verify trunking config of a router
show vlans
show ip route

MAC address table commands
mac address-table aging-time <secs>
Adding a static mac address for hosts that never send
mac address-table static <mac> vlan <id> interface <type/number>

show mac address-table <dynamic> <address|value>
show mac address-table count

VLANs and Trunks
Groups of users separated into different broadcast domains VLANs.
Stop flooding of traffic from one group into another
Security
ISL is Cisco proprietary
ISL does not modify the original frame
26 byte header
4 byte trailer (FCS error checking)
Supports legacy protocols

802.1q (IEEE standard) (mostly used in the wild)
802.1q does modify the original frame

Native VLAN concept (untagged)
other VLANs (tagged)

VLAN ranges
VLAN 1 = default cisco native  vlan
VLAN's 2 - 1001 = normal vlans can be created,used and deleted
VLAN's 1006 - 4096 = extended vlan range can't be pruned with VTP
VTPv3 adds support for privat vlans / extended range


Looking for native VLAN mismatch between SW1 and SW2
Run the command below on both switches:
show interfaces FastEthernet 0/1 trunk
Check the native vlan matches on both sides, it should match. If it does not match the issue will be a native vlan mismatch

show interfaces trunk
show interfaces switchport
show interface fa0/1 status

Global command to only accept tagged packets on trunks
vlan dot1q native global

DTP dynamic trunking protocol
ISL = Cisco proprietary 

802.1q = open standard IEEE smaller than ISL so its what is used today everywhere
4 bytes

Normal TCP packet 
  6 bytes       6 bytes      2 bytes          Up to 1500b        4bytes
[ D MAC ] [ S MAC ] [ type field ] [ Ethernet Frame ] [ CRC ]

802.1q tagged packet
  6 bytes       6 bytes      4 bytes        2 bytes          Up to 1500b        4bytes
[ D MAC ] [ S MAC ] [802.1q tag] [ type field ] [ Ethernet Frame ] [ CRC ]

4 bytes = 32 bits

Zoom in on the 802.1q tag

TPID (16 bits) - Basically says this is 802.1q
Priority (3 bits) - QoS 802.1p
CFI (1 bit) - Used for compatibility
VID (12 bits) The Vlan tag 2^12 = 4096 the max number of VLANs

Don't allow vlans 3 and 4 on this trunk
switchport trunk allowed vlan remove 3-4

VLAN range 1 - 4094
1 - 1001 normal VLAN range
1002 - 1005 reserved for token ring not used anymore
1006 - 4094 extended range (must be in VTP tranparent mode or VTPv3
most switch don't support VTPv3.
Not stored in vlan.dat file, converting back is a big manual job

Trunk port setup
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport trunk allowed vlan 1-5,99,1002-1005
switchport mode trunk
switchport nonegotiate (disable DTP, both sides must be manually configured as trunk)
no shutdown

Configuring VLANs
legacy VLAN database (old, don't use, new features won't work)
Modern vlan <vlan id>

Show the vlans on a trunk interface
show interfaces fastethernet  0/1 trunk

Ether-channel (LAG)
More bandwidth with 2 or more cables without STP blocking us.
PAgP (port aggregation protocol cisco proprietary)
LACP (IEEE 802.1ax (year 2008) open standard)

LACP old open standard ieee 802.3ad (year 2000)


LACP only works on full duplex ports (who wants half duplex anyway)
PAGP works on half but who wants to use that

PAGP allows 8 active ports
LACP allows 8 active ports but more standby ports

LACP is better ?

LACP system priority
Switch will have a system priority 32768 (lower the better)
32768 is the default system priority 
Each port will also have a priority. Priority is used first then port number (lower number is better)

LACP has passive (auto) and active modes (desirable)

PAGP has auto and desirable

What variable is used to do load balancing
show etherchannel load-balance
There are many options here

Test the load balancing 
test etherchannel load-balance interface port-channel 1
Test to see what port will be used

Force ether channel 
channel-group [x] mode on (no pagp no lcap, forcing ether channel)
This manually creates an etherchannel without using a negotiation protocol like pagp or lacp.


Configured etherchannel as layer 3
Cnfigure member ports
interface gigabitEthernet 0/3
no switchport
channel-group 10 mode desirable
exit

interface gigabitEthernet 0/4
no switchport
channel-group 10 mode desirable
exit

Configure the ip on the port channel interface
interface port-channel 10
no switchport
ip address 10.1.1.50 255.255.255.0

Switch Design big picture
Cisco has enterprise composite model online which you can use.

Typical design
Router/Firewall
L3 switches (Core) Moves data between buildings
L2 switches (Distribution) (inside each building)
L2 Switches connected to user devices (access) (inside each building)

Many smaller designs merge Core/Distribution into the same layer.
Router/Firewall
L3 Core/Distribution
L2 Access

Switch stacks and redundant links are used.

In the beginning: the flat network
Small business usually start with 1 switch and then they expand and keep adding on. Often daisy chaining devices with lots of single points of failure. One large failure domain. Later a network admin will come in and organize things adding redundancy, creating VLANs etc.

Switching is moving towards using L3 switches and protocols in the distribution layer and even the access layer. Not everyone can afford L3 switches at the access layer. They might not have the staff with the skills to administer it either.

L3 to the distribution layer

L3 to the access layer
We have gigabit switches now so we have the speed to do this.
We eliminate STP from the egress interfaces on the access switches up
We implement routing protocols EIGRP/OSPF for fast fail over and equal cost load balancing.
The egress links become point to point WAN links
We still need STP on the ports that are connected to users

The Campus network design (hierarchical design)

Its modular design that can expand as the business grows

Access layer (user desktops plug in here)
Normally L2 switches but could be L3
VLANs,
QOS, (marking policing)
Security (802.1x, port security)
Multicast traffic management (IGMP snooping)
Inline power (PoE for IP phones WAPs etc)

Distribution
Normally L3 switching (could be L2 too but will hit scaling limit)
Multiple connections down to access devices
Multiple connections up to core devices
Gateway redundancy (HSRP. VRRP, GLBP)
Ether channel Nic teaming/ link bundling 802.3ad (LAG)
Load balancing (OSPF cost, PVSTP etc)
Summarization

Core
High power devices
CRS (in the ISP)
6500's
Typically L3
The fastest and most reliable devices

The blocks can be replicated. Troubleshooting and fault isolation is easier.

100,000 hosts (laptops, phones, printers etc)
The CAM table becomes too large.
If the CAM table fills up the switch starts acting like a hub.
L3 routing segments the L2/L3 domain

Broadcast storms also can hurt L2 networks
Should have arp requests, windows filesharing etc.
As the L2 network grows so does the broadcast domain.
If there is too many broadcasts the networks slows down to unusable.

L2 switches stick to one media (ethernet)
L3 switches can mix media because they are based on IP addresses

L3 switch is a hardware accelerated router.

VLANS, Trunking and VTP

Separating broadcast domains
Each VLAN has its own CAM table
ARP uses broadcasts so only works within a VLAN. Needs L3 to get to other VLANS.
The old rule was 80/20, 80% local traffic 20% to a remote destination
Today its flipped 20/80
1 vlan per subnet
When a packet is received the switch sees what VLAN its was received on and looks in that CAM table for the MAC address.

exec mode -> vlan database mode is for old devices, no one uses this anymore
Normally we will use global configuration mode
the vlan assignments was inside vlan.dat

Spaces are not allowed in VTP domain names
VTP default authentication is MD5 

Adding  a VLAN with vlan database mode
vlan database
vlan 10 name ACCOUNTING
exit

Adding  a VLAN with global config mode
conf t
vlan 20
name SALES
exit
vlan 30,40,50-55 (notice we can add several VLANs at the same time)
end



Port types
Access ports (one vlan per port)
switchport mode access

Trunk ports (Multiple VLANs per port)
switchport mode trunk

Dynamic ports (automatically choose access or trunk)
Normally used for IP phones, usually a security risk so people don't use them

Good command as it shows lots of information in one screen
show int status

Show mac addresses learned in vlan 1
show mac address-table dynamic vlan 1

show details of the port what features were turned on what mode is it in, what voice vlan is assigned
show interfaces fa0/1 switchport


Quick way to see what ports are assigned to what vlans
show vlan brief

Incomplete in sh arp means we sent out an arp but we got nothing back.

VLAN trunks
Trunk links are used to transport traffic for multiple VLANs between devices (switches)
ISL and 802.1Q are protocols for doing this.
ISL is Cisco proprietary
802.1Q is IEEE (open) standard is the one used in the wild.


CAM table

Finding where a host is plugged in

ping 192.168.1.10
arp -a (see the mac address)

In switch
show mac address-table xx-xx-xx-xx-xx-xx
Switch will tell you what ports it sees that address on
show mac address-table interface fa0/1
If we see lots of mac addresses on that interface then its probably an uplink to another switch 
Again good idea to give your uplinks descriptions, always use the highest ports, use color coded cables
show cup neighbours


TCAM ternary (L3 table)
Routing at wire speed
Why don’t we replace all routers (software based) with L3 switches 
IOS is feature rich
Adding features in software is easier than building ASICs
No ASIC for NAT

show platform tcam util

SDM templates (switch database management templates)
Allow you to allocate resources to your TCAM table 
conf t
sdm prefer [access | default | dual-ipv6-ipv6 | ipe | routing | vlan]

CDP (cisco discovery protocol)
LLDP (link layer discover protocol)


CDP MAC address:   01:00:0c:cc:cc:cc
LLDP MAC address: 01:80:c2:00:00:xx

CDP is cisco only. Shows only directly connected devices.
Helps you get your bearings can build network diagrams from it.

Cisco Discovery Protocol (CDP) is very crucial in the operation of a Cisco IP phone.  It not only provides the AUX (Voice) VLAN ID for the phone to being sending traffic on the AUX VLAN, it also allows the phone to automatically negotiate power settings.

Enabling a voice vlan automatically enableds portfast 
switchport mode access
switchport voice vlan 10

WIth the config above "spanning-tree portfast" will autmatically be enabled

CDP commands
show cdp neighbours
show cdp neighbours detail 
show cdp entry xx*
cdp run (turn on CDP globally)
no cdp run (turn off CDP globally)
no cdp enable (turn off CDP under a specific interface)

Don't advertise native vlan and VTP domain anymore
no cdp advertise-v2

LLDP
lldp run
int fa0/1 
lldp ?
LLDP you can select which ports you send/receive on
LLDP can gather more information than CDP

LLDP
lldp default timer is 30 seconds

LLDP will probably replace CDP as time goes on.


Key interface counters
sh interface fa0/1
fa0/1 is up line protocol is up. We want to see up up

Next look at full Duplex

Last clearing of interface counters 
clear interface counters see if the error is still happening

Next look at the input queue

Runts likely a half duplex, severed packets
Input errors on their own with no runts it could be a cable

late collision again could be a duplex mismatch or indicate a Ethernet cable that is too long

giants are jumbo frames 9000 bytes of data you need to configure jumbo frames

Ethernet to fiber transceivers

Handling error disable ports
Switch detects some issue with the port and gets error disabled
Won’t come back unless the net admin does a shut, no shut

show int fa0/1
the interface shows as down down with the message (err-disabled)

Find ports that are err-disabled
show interfaces status err-disabled
shows the ports that are err-disabled and the reason
err-disabled ports usually get disabled for a good reason


Power over ethernet
IP phones, security cameras and Wireless APs


The idea of having a single VLAN across multiple switches is going away as L3 moves towards the access layer
VLANs are still used on ESX servers, management VLAN 

QinQ  (802.1ad)
802.1Q is the VLAN tagging protocol
VLAN 10 in corp offices goes through the WAN cloud to another side where VLAN10 is plugged in
Service provider adds their own outer tag


VLANs VTP

Simplifies your VLAN configuration 
All devices are members of a VTP domain
Once you add/remove a VLAN on a device it replicates to the rest
This is extremely useful and dangerous
Still need to assigne the VLAN to a port but don't have to create it on 100 devices

VLAN pruning 
I don’t have any ports in VLAN 10 so stop sending me data for VLAN 10

VLANs that are not allowed, never get their data frames sent, regardless of vtp pruning being on or off.

Issuing the switchport trunk allowed vlan remove 20 will remove that VLAN completely off of the trunk link. A safer method would be to enable VTP pruning

conf
vtp pruning


Define which vlans should not be pruned (remove them from pruning)
switchport trunk pruning vlan remove 30,40


VTP rev number increases as VLANs are created
Devices will always update to the highest rev

Version1
First version 1993ish

Version2
1999

Version3
More recent 
Complete re-write 
Manually configure VTP domain name and password, VTP password will be encrypted 
Private VLANs, VLANs inside of VLANs 
They addressed the concerns but people still didn’t want to use
FYI there are security issues with VTP this is why it is often off
IF you go L3 switching VLANs are locally significant so you don't need VTP.

VTP Modes

Server
Create/Delete VLANS

Client
Can only add VLANs from the central

Transparent
Hear VTP and pass through but don’t do anything with it.

Off
Same as transparent but does not VTP to pass through

VTP rev number
sh vtp status will show the rev number
All switches should agree

VTP advertisements contain
  • Password
  • Revision number
  • Management domain name


VLAN Trunking in depth
Trunk interfaces is a Cisco word. Other vendors call it tagged interfaces,
If you enable a trunk port by default it will send all VLANs.
Other vendors you have to add the VLANs into the trunk.
802.1.q
4byte / 32 bit piece goes into the header of the Ethernet frame
First 16 bits basically say this is 802.1q
12 bits are used for the VLAN tag (2^12 = 4096) that's the number of VLANs you can have
3 bits are used for PRI (Class of service used for QOS at layer 2)
1 DE discard eligible can be used to ease congestion before TCP windowing kicks in
All of the above is in the 4byte header

Trunking can be negotiated (with DynamicTrunkingProtocol) but that is not recommended

See all the details about trunking on a port
show interface fa/01 switchport

Enable a trunk interface
int fa0/1
switchport mode trunk (enable it as a trunk)
switchport trunk encapsulation dot1q (use 802.1q)
switchport trunk allowed vlan 1,10 (allow vlans 1 and 10)
switchport nonegotiate (turn off DTP because it slows down convergence)

Show interface trunk
See all trunk interfaces and what VLANs are allowed on those trunks

Its best practice to manually prune

Add a new vlan to the trunk

int fa0/1
switchport trunk allowed vlan add 20 (this will append vlan 20 to the currently allowed vlans)
switchport trunk allowed vlan 20 (this will replaces whatever is there with just vlan 20)

Native VLAN
The native VLAN is for devices that don't know about VLANs.
When we receive a packet that is not tagged then it is on the native VLAN

DHCP in VLAN environment 
IP helper command is commonly used for DHCP servers.
All broadcasts are UDP based
These ports are forwarded with the ip helper-address command
You can remove ports you don't want to send with another command see below
69 TFTP
67 BOOTP client
68 BOOTP Server
37 Time protocol (NTP)
49 TACACS
53 DNS
137 NetBios
138 NetBios Datagram

Converts whatever broadcasts match the ports to a uni-cast and send it to the specified server
We can have 1 DHCP server for several VLANs

Using IP helper but don't forward TFTP
interface vlan 10
ip helper-address 10.55.55.10
exit
no ip forward-protocol udp 69

You can set it globally too.

STP back to the core

Spanning tree is good because it allows us to have redundant links without causing a loop
It elects a root bridge
Looks at the bridge priority and the mac address which gets call the bridge ID
32768 default priority
lowest mac address will win, usually the oldest device
Etherchannel can provide more bandwidth on key links

Elect the root bridge
All the other's find the best path to the root bridge
Lowest cost (if your links are the same speed go to next level)
Lowest bridge ID (if you have an ether channel the bridge ID will be the same, so go to next level)
Lowest port number on the root bridge

Default costs
10Mbps 100
100Mbps 19
1000Mbps 4
10000Mbps 2

STP 802.1D default timers
hello             2 seconds
max age          20 seconds
forward delay    15 seconds

Get a trunk to use  portfast (port is connected to server)
spanning-tree portfast trunk

STP priority
  • Lowest value will become the root
  • Set a high value if we don't want to be the the root for that vlan
spanning-tree vlan 100 priority 4096 (we want to be root)
spanning-tree vlan 100 priority 61440 (we don't want to be root)

Vale increment 4096
Lowest value 4096
Default value 32768
Highest value 61440

4096
8192
12288
16384
20480
24576
28672
32768
.
.
61440

Find ports blocked by root guard
show spanning-tree inconsistentports

STP standards

There are 5 different modes of STP.

Normal STP (802.1d)

PVST+
PerVlan spanning tree chopped up the priority and left space of the VLAN ID
You have have different devices be the RB for different VLANS
This makes sense for larger networks

Rapid spanning tree (802.1w) is a faster version of normal STP (802.1d)
Rapid STP is more proactive and communicative than normal STP

Cisco creates per vlan rapid spanning tree (PVRST)

Multiple spanning tree protocol (MSTP 802.1s)

Consider 3 switches connected in an STP triangle

A pri 0x8002 mac:00:00:00:12:12:12
B pri 0x8000 mac:00:00:00:13:13:13
C pri 0x8003 mac:00:00:00:11:11:11

A gig0/1 -> gig0/1 B
A gig0/2 -> gig0/2 C
B gig0/1 -> gig0/1 A
B gig0/2 -> gig0/1 C
C gig0/2 -> gig0/2 A
C gig0/1 -> gig0/2 B

Switch B will become root because it has lowest priority. If priorities matched the MAC address would be used to break the tie.

On root bridge/switch all ports will be unblocked they will be designated ports in the forwarding state

B gig0/1 -> gig0/1 A
B gig0/2 -> gig0/1 C

The downstream switches path to the root are called "root" ports

A gig0/1 -> gig0/1 B
C gig0/1 -> gig0/2 B

Now A and C must decide which port between them should be designated port, backup path to the root. And one side should block their port. Their cost to B is the same so priority is used. Switch A has the lower priority. Switch A gig0/2 becomes a designated port.

Switch C's gig 0/2 becomes a blocked port

When STP standards interfere with each other

STP and RSTP are designed to be backwards compatible. RSTP can run normal STP on a per port basis obviously you lose the advantages of RSTP.

STP and PerVlanSTP
PVST <> STP
PerVLan with tagg each packet with the vlan it belongs to
There will be some untagged vlan, thats the one the STP will run on
PVLAN tags will pass through STP switches as if they are not there
No pervlanSTP just passes them through and ignores them

MSTP
Allows you to create different regions
Groups of VLANs instead of single vlans
MSTI0 is the STP instance that runns for all the VLANs not assigned to a region 
MSTP switch reaches a non compatible switch, MSTP will create a boundary and you will be handled by MTSI0
MSTP pretends that its a PerVlanSTP switch to other PVSTP switches,
You must make the root bridge somewhere inside the MSTP network otherwise there will be issues.

See how many BPDU's have been sent
show spanning-tree mst detail
show spanning-tree detail

STP uplinkfast,backbonefast, RSTP

Failure with normal with STP (a link goes down)
Uplinkfast deals with direct failures
STP detects it, 15 seconds listening for other BPDU
15 seconds of learning of the mac addresses on the backup port
Transitions into forwarding

Uplinkfast
After the election other switches stop sending BPDUs
The root keeps sending BPDUs
Uplinkfast proprietary cisco version of RSTP
Uplinkgroup is a list of ports that can get to the root bridge

RSTP does the same thing but meets the standards
When RSTP fails over. It enables the new root port and blocks all other switch links to avoid any loops. The other switches ask them to unblock that port.

Backbone fast deals with failures that happen on other switches
S3 I'm getting BPDU's on my blocked port and my root port
S2 loses his root port so assumes he's the root
S2 starts sending BPDU's to S3 on its blocked port
S3 ignores S2 for 20 seconds (max age/10 BPDUs) in case the link comes back

20 secs +15 listening + 15 learning = 50 seconds

Cisco came up with backbone fast to avoid this
If S3 gets BPDUs from S2 that now claims to be root
The only way we would be receiving this is if he lost connection and declared himself the root
S3 gets rid of the max age, just go ahead and deal with it
So it goes down from 50 to 30 seconds

RSTP adopted ciscos idea
If you get this inferior BDPU
RSTP says immediate transition the port
Send the BPDU through to get S2 back up asap

STP vlan cost
SW1(config)# spanning-tree vlan 1 priority 23189
SW1(config)# spanning-tree vlan 101 priority 32768
SW1(config)# int fa0/2
SW1(config-if)#spanning-tree vlan 202 cost 2

RSTP states
Discarding
Learning
Forwarding 


What happens if S3 receives a superior BPDU from S2
Its because priority its probably lower on S2
STP this causes the whole topology to change
RSTP accepts it straight away.
Ports towards the new root are unblocked other ports are blocked

BPDUGuard and BPDUFilter

BPDUGuard is to protect you from users bringing in their own devices that participate in spanning tree. These can cause lots of issues.
BPDUGuard should be turned on on all ports connected to users.
If it see's a BPDU come in on a port it will error disable the port.
spanning-tree bpduguard enable
show cdp neigh

How to get an error disabled port back up
int fa2/0/1
shut
no shut

Every port that gets configured for portfast gets BPDUguard turned on too
spanning-tree portfast bpduguard default

BPDUfilter
Ignores BPDU's on an interface.
Act like a hub on that port, don't participate in STP
Its a good idea not to use this.

int fa1/0/2
switchport mode access
spanning-tree portfast
spanning-tree bpdufilter enable

VLANS, SVI and Routed Port

Configuring VLANs
vlan 10
int fa0/1
spanning-tree portfast
switchport mode access
switchport access vlan 10

Configuring SVIs (Switched Virtual Interface)
conf t
interface vlan 10
ip address 10.1.10.1 255.255.255.0
no shut

Configuring a routed port

interface fa0/24
no switchport
ip address 172.16.1.2 255.255.255.0

Configuring routing

ip routing (some L3 switches you need to turn it on)
router eigrp 10
no auto summary
network 10.0.0.0
network 172.16.0.0

(same config on the other side)
show ip eigrp neighbor
show ip route

STP: configuring RSTP and MSTP


show spanning-tree
802.1d is normally turned on by default

Turn on per vlan rapid spanning tree
spanning-tree mode rapid-pvst

MST region (NAME, REV, VLAN INST MAPPING)

spanning-tree mst conf
name mymstregion
rev 1
instance 1 vlan 1-3
instance 2 vlan 4-6
spanning-tree mode mst (turn it all on)
show spanning-tree

Set this device as root bridge for vlans 1-3 (three instances of STP)
spanning-tree vlan 1-3 root primary

Set this device as root bridge for instance 2 (one instance of STP)
spanning-tree mst instance 2 root primary

Ether-channel

Bundle up to 8 ports together
Ether channel load balances the traffic
Say you have 8 1Gbps ports. The most you can get on one connection is 1Gbps.

LACP, PAgP, Manual (LAG)

PAgP (cisco proprietary)
LACP (IEEE)

Layer 2 and Layer 3
With L3 switches you can do no switchport and create a L3 ether-channel

interface range fa0/1-2 
switchport mode access
channel-group 1 mode active (LACP)
channel-group 1 mode passive (LACP)
channel-group 1 mode auto (PAgP)
channel-group 1 mode desirable (PAgP)
channel-group 1 mode on (manual)

auto = passive will make a relationship if asked but won't ask the other side
active = desirable will ask to make a relationship

Best practice is to set one side active and the other passive but you can set both to active and it will work.
If both are passive a relationship won't be formed.

Find etherchannel info
show etherchannel summary
show etherchannel detail
show etherchannel port

Find etherchannel cost cost
show spanning tree

port-channel load-balance


L3 Etherchannel

higher capacity routed interface, high bandwidth routed link


SW1
conf t
interface port-channel 1
no switchport
ip address 172.16.1.1 255.255.255.0

interface range fa 0/23-24
channel-protocol lacp
channel-group 1 mode active
no switchport

SW2
conf t
interface port-channel 1
no switchport
ip address 172.16.1.2 255.255.255.0

interface range fa 0/23-24
channel-protocol lacp
channel-group 1 mode passive
no switchport

SW1
ping 172.16.1.1
SW2
ping 172.16.1.2


show etherchannel

show lacp ?

STP: Best practice

Out of the box most devices use common spanning tree and its slow by today's standards
Move to RSTP
PVSTP / MST (does the same thing as RSTP but you can split up VLANs)
Choose root bridge and backup root bridge carefully
Turn BPDUGUARD on all access ports in case user plug a switch in
ROOTGUARD on distro/core uplinks, use root guard carefully
Don't daisy-chain more than 7 switches
Don't use VTP (you need to config ports anyway why risk it)
Don't disable spanning tree
Document everything

STP port-priority and cost
To set an interface priority when two bridges compete for position as the root bridge, use the spanning-tree port-priority command. The priority you set breaks the tie. Highest priority is less preferred. Lower wins.

Going away from the root of the tree use priority whereas, when going towards the root of the tree use cost. Both priority and cost lower value is better.

Root port = the port with the lowest cost to the root switch/bridge
Use port cost to affect the root port selection on the local switch
Use port-priority to affect downstream switches
To make the local switch the root bridge/switch
spanning-tree vlan 100 priority 4096
If we don't want the local to be switch root to be root bridge/switch use
spanning-tree vlan 100 priority 61440

Port priority default value
128

Port priority valid Values
0, 32, 64, 96, 128, 160, 192, and 224

Port speed cost defaults
10 Mbps    100
100 Mbps    19
1 Gbps         4
10 gig           2


Configuring cost and priority

sw2(config)# spanning-tree vlan a priority 61440
sw2(config)# int G1/0/2
sw2(config-if)# spanning-tree vlan b cost 1
sw2(config)# int G1/0/1
sw2(config-if)# spanning-tree vlan c port-priority 64

L3 switching

Before VLANs we had to create separate physical switches.
VLANs were great
However if you get a huge amount of VLANs if can be an issue

Large enterprise solution is L3 switching

SVI (Switch virtual interface replaces the router on a stick)
interface vlan 10

We get ASIC based routing with the L3 switch
Routing at wirespeed

Creating a routed port
interface gig0/1
no switchport

Routing protocols are faster than RSTP.
Sub second convergence

Old (most common) method is to span VLAN across your network
New approach is to localize VLANS / STP
Going further they want you to use L3 switches for all switches
Then we would have a spanning tree free network.
Anything can fail anywhere and we have sub second convergence
Access switches still need STP as users might plug anything in

L3 switches everywhere are too expensive for most.
Most small/medium business don't need the sub second convergence either.

Continue HERE

STP: RootGuard, LoopGuard and UDLD

Rootguard - protects the root bridge (switch). Its to protect yourself from misconfig by you or by bob.

STP is unsecured because of the root election being based on the bridge mac address and priority. Older devices have lower mac addresses so if two devices have a priority of 0 the older device will always win. Rootguard protects the root bridge.

You need to select your root. Turn on rootguard for any port that goes to another switch. If a superior BPDU comes in it goes into loop inconsistant state until they stop sending the BPDU's. Its called loop inconsistent state. Access layer switches.

interface fa/0/1
spanning-tree guard root

See if root guard is enabled
show spanning-tree detail
"Root guard is enabled on the port"


LoopGuard is to protect against a malfunctioning switch. A switch IOS has crashed but its still forwarding traffic. It stops sending BPDUs so the other side unblocks the port creating a loop in the network. Puts the port into loop inconsistent state until it gets BPDUs again.

interface fa/0/1
spanning-tree guard loop

UDLD (proprietary protocol)
Unidirectional link detection. Does the same thing Rootguard/Loopguard but without STP. The error disable does not recover unless you have that enabled its not the same as loop consistent like in loopguard/rootguard.

Generally used with fibre in places where we don't enable STP because we wanted fast failover.

When UDLD is first enabled and does not detect a neighbor the link state is considered unknown, which is not necessarily an error condition.


SW1
int fa0/1
UDLD port aggressive

SW2
int fa0/2
UDLD port aggressive

After enabling UDLD on the connected interface of the other switch, we can see that the local switch has detected its neighbor and updated the link's status to bidirectional.

show udld fa0/1


UDLD port (Log if there is an issue but keep the port up

UDLD port aggressive (If there is an issue, tries to bring the connection back up if it can't disables the link)

UDLD aggresive mode will first try to re-establish but if it fails it will put the port into errdisable

If we want to bring a port back up that was error disabled  by udld we can shut/no shut or

conf t
udld reset

First Hop Redundancy Protocol

FHRP's
  • HSRP (Cisco proprietary)
  • VRRP  (Open IETF)
  • GLBP (Cisco proprietary)
RTRA x.x.x.2 (real IP)
RTRB x.x.x.3 (real IP)
Virtual IP x.x.x.1

A virtual MAC address is also shared between RTRA and RTRB

Decrement mean reduce your priority
Preempt means take over

HSRP 1994 (cisco)
VRRP 1999 (industry standard)

They are almost identical.

             Primary Backup
HSRP: Active Standby
VRRP: Master Backup



VRRP
Allows you to assign the master IP to one of the devices so you only need 2 IP addresses instead of 3.

Default timers (can be changed for both to even millisecond)
HSRP hello 3 dead 10
VRRP hello 1 dead 3


GLBP 2005

Gateway Load Balancing protocol
The only protocol that has active/active, both units can send/recieve
Pretty much identical to HSRP outside of the active/active setup
You may have to set STP cost to something high like 2000 on the link between your routers
This way the links from the inside are active and the failover cable is blocked

 Single VIP, multiple MAC addresses
Active active active depending on number of nodes.
If we have 4 nodes
Each has a virtual mac
If 3 nodes go down the last node takes over the other 3 virtual mac addresses
So 1 node responding to 4 virtual mac addresses

AVG = active virtual gateway is like the primary
AVF = devices taking part in the GLBP
There will always be 1 AVG which is an AVF, and muliple AVFs

glbp 1 ip 172.30.80.1
glbp 1 priority 150 (controls who is the AVG)
glbp 1 timers msec 50 msec 150


AVF
glbp 1 ip 172.30.80.1
glbp 1 timers msec 50 msec 150

Can track interfaces and change member weights
glbp 1 weighting track

GLBP
MAC address: 0007.b400.XXYY
1 AVG per group (active virtual gateway)
UP to 4 AVF per group (active virtual forwarder)
AVG is also an AVF




HSRP 1994
Cisco protocol
Active and standby
hello every 3 seconds
dead timer 10 seconds
virtual mac address [0000.0c] [07.ac] [xx]
[cisco vendor id] [HSRP version1 id] [Standby Group Number 0-255]


You may be asked to pick the HSRP mac out of  a list

Configuring HSRP
RTR1: 172.30.70.2
RTR2: 172.30.70.3
VIP: 172.30.70.1

conf t
interface vlan 1
standby 1 [group ID]
standby 1 ip 172.30.70.1 [virtual IP, sn mask is taken from real address]
standby 1 priority 110 [110 becomes the active, standby is at 100]
standby 1 track fa0/1 20 [if the interface fails take 20 off its priority]
standby 1 preempt delay reload 60 [make sure its up and working for 60s before letting it take over]
show standby

show standby  brief


If the interface goes down we take 20 off the priority 110 - 20 = 90 so the other unit sitting on 100 will be the active.
We need the preempt command. It tells the standby device to say if you find you are the higher priority then take over. The preempt command is really important

Configuring hello and dead times down for faster failover
standby 1 timers msec 200 msec 650

HSRP states

Initial
 This is the state at the start. This state indicates that HSRP does not run. This state is entered through a configuration change or when an interface first becomes available.

Learn
The router has not determined the virtual IP address and has not yet seen an authenticated hello message from the active router. In this state, the router still waits to hear from the active router.

Listen
The router knows the virtual IP address, but the router is neither the active router nor the standby router. It listens for hello messages from those routers.

Speak
The router sends periodic hello messages and actively participates in the election of the active and/or standby router. A router cannot enter speak state unless the router has the virtual IP address.

Standby
The router is a candidate to become the next active router and sends periodic hello messages. With the exclusion of transient conditions, there is, at most, one router in the group in standby state.

Active
The router currently forwards packets that are sent to the group virtual MAC address. The router sends periodic hello messages. With the exclusion of transient conditions, there must be, at most, one router in active state in the group.

HSRP versions (v1 and v2)
Default version is v1

v1 MAC: 0000.0c07.acXX  [XX is group number in hex]
v1 broadcast: 224.0.0.2

v2 supports more groups and IPv6
v2 MAC range: 0000.0c9F.FXXX - 0000.0C9F.FFFF
[XXX is group number]

v2 boadvast: 224.0.0.102


VRRP

Gateways will be in VRRP groups (multiple devices responding to on VIP)
One master, multiple backups
VIP can be assigned to the master.
hello 1 second dead timer 3 seconds
VRRP can be very quick to failover
skew 256 - priority (100) / 256. Can google how priority affects failover time
Priority 100 basically adds a half second
Preemption is turn on by default in VRRP
Can track interfaces. For example track your internet connection. Works with IP SLA.

VRRP config

interface FastEthernet0/0
ip address 10.0.1.2 255.255.255.0
vrrp 1 ip 10.0.1.1
vrrp 1 timers 1 3
vrrp 1 priority 140
vrrp 1 preempt
vrrp 1 authentication md5 key-string password
vrrp 1 track 50 decrement 80

Show IP sla config
sh run | i track
show track
show ip sla configuration

conf t
int fa0/1
vrrp 1 ip 172.30.50.1
vrrp 1 priority 110 (I want this device to be master)
vrrp 1 preempt delay
no vrrp 1 timers learn
vrrp 1 timers advertise msec 50


interface tracking (can use IP SLA)
track 50 interface fa0/1 line-prtocol
vrrp 1 track 50 decrement 20

show vrrp




FHRP and STP

Following Cisco designs we have L3 at the top and L2 at the access layer.
Local VLANs (VLANS don't span across switches)
L3 link between the core switches.
L3 core swithes become the default GW for each local VLAN
Need SVI's for each local VLAN on the core switches
Core SW A with SVI for vlan 10 (10.1.50.2)
Core SW B with SVI for vlan 10 (10.1.50.3)
The primary HSRP etc device should be the root bridge

If you use L3 switches everywhere you use local vlans on access layer switches broadcasts stop at L3 links. Failover is very quick we don't have to wait for STP because we don't use STP. However having L3 switches everywhere is expensive.

If VLANs span across switches we need STP.




With GLBP you need to make the links to the access switches active and block the link between the core swtiches. You go under the interface for the links between the core switches and change the STP cost.


Understanding and config port-security


Common attacks
  • MAC attack, CAM table overflow
Switch becomes a hub, attacker can listen to all traffic. To mitigate limit the number of mac addresses per port, even if we set it to 50 per port it would be better than nothing. A value of 2 - 5 would be good.

  • DHCP starvation
Flood the DHCP use up all the IP addresses, new clients can't get an IP can't use the network. This would be a good time for an attacked to setup their own rouge DHCP server. To mitigate we can restrict what ports are allowed to respond to DHCP requests. We can also limit the amount  of DHCP requests coming from one port.

  • Man in the middle attack / rouge DHCP server
Attacker pretends to be DHCP server. Gives your clients an IP. Clients send their traffic to the attacker who is listening. Man in the middle attack. To mitigate enable dhcp snooping / DAI etc.



port security modes

  • shutdown = error disables
  • protect = limit the numbers ignores the rest
  • restrict = limit the numbers ignores the rest and log

You should use shutdown or restrict

A switch port must  be in access mode to use port-security
switchport mode access
switchport port-security (default limits to 1 mac address)
switchport port-security maximum 10 (10 macs)

Statically assign the next learned mac address
switchport port-security mac-address sticky

Shutdown the port if something violates port securirty
switchport port-security violation shutdown

shutdown is harsh shuts down
restrict just logs doesn't do anything

Usually err-disabled ports are shut down for good reason
No need for an admin to get on and shut/no shut

errdisable recovery cause psecurity-violation
sh errdisable recovery (default timer is 300 seconds)
after 5 min the interface will turn itself back on

Mac address states
Secureconfigured = in run cfg but not saved in startup config
DynamicLearned = put in run cfg and saved in startup config

See what ports have port-security enabled
show port-security

Get more info on that port like 

show port-security interface fa0/2

Port security gotcha
You cannot enable port security under under ether channels on trunks when DTP is enabled or on destination port for SPAN

DHCP Snooping Configuration

User plugs in router which starts handing out 192.168.1.0.
Hackers will create a DHCP server for man in the middle attack

You can mitigate this with DHCP snooping.
We allow all ports to make requests but we only allow replies in from the DHCP server.
We turn on the trunk ports

ip dhcp snooping
ip dhcp snooping trust (run this on the trusted interfaces)
ip dhcp snooping vlan 10 (enable it on the vlan)

show ip dhcp snooping binding (see the DHCP bindings)

ARP snooping config 
Enable DHCP snopping globally
Enable DHCP snooping for vlans 100,150
Enable DAI for vlans 100,150
Set fa0/1 as a trusted source for DHCP responses

enable
configure terminal
ip dhcp snooping
ip dhcp snooping vlan 100,150
ip arp inspection vlan 100,150
interface fastethernet 0/1
ip dhcp snooping trust
ip arp inspection trust


Show arp inspection interfaces
show ip arp inspection interfaces 

Trusted ports likly connected to a DHCP server
Untrusted  ports will be validated by arp inspection likely connected to clients

DHCP option 82
DHCP option 82 forwarded requests contain information about the switchport they originated fro.

If you enable ip dhcp snooping option 82 is inserted into DHCP packets as they pass through he switch. The option 82 information contains information on where the DHCP requests came from

ip dhcp snooping information option
This command will enable the switch to insert and remove DHCP relay information (option-82 field) in forwarded DHCP request messages to the DHCP server. This is the default setting



enable
conf t
ip dhcp snooping information option
interface fastethernet 0/2

Rate limit to 10 DHCP packets per second
ip dhcp snooping limit rate 10

IP source guard and dynamic arp inspection

Typical man in the middle attack
host <-> badguy <-> destination
Anyone can come in, download cain and able and your switches are not protected by default.
IP source guard makes sure the source IP does not change in the middle of the exchange


First you must enable DHCP snooping globally
ip dhcp snooping



Next enable source guard on the interfaces you want to protect
int fa1/0/46
ip verify source

What if you have a printer on a static IP

ip source binding 1111.1111.1111 vlan 1 192.168.100.14 fa1/0/6

Dynamic ARP inspection, watches for suspicious arp replies.
sh ip dhcp snooping binding
ip arp inspection vlan 10
ip arp inspection trust (configure this on your trunks)


Storm control

Cisco storm control limits the amount of broadcast multicast and unknown unicast traffic on a given interface.
We can say broadcasts shouldn't go above 1Mpbs.
Sometimes when a network card breaks it starts sending out junk:

conf t
int fa0/1
storm-control broadcast level 20
Broadbasts exceed 20% of all the traffic coming in on this interface

You can also do
storm-control broadcast level bps 1m .5m (rising threshold / falling threshold)
Once you go above the rising threshold broadcasts (or other defined traffic) are dropped
They won't be allowed again until you are below the falling threshold


Private VLANs

Why use private VLANs ?
We want to separate customers but we don't want to waste IPs that will be used for network and broadcast addresses. They provide a method for isolation within a VLAN.

Isolated
If we have 3 devices all on PVLAN 40. They can't access each other.
However they can access the promiscuous

Community
Lets say we have community PVLAN 80. They can talk to other hosts in the community PVLAN. And the promiscuous. But no comms with the isolated ports. Community PLVANS on 80 and 85 and access each other and they can get to the promiscuous port

Promiscuous
Accessable by both isolated and community. 


Configuring Private VLANs

Subnet is on vlan 200
web and sql server are  in community vlan 205
ftp server on isolated vlan 210

need 3750 switch for private vlans

Only vtp v3 works with PVLAN, first check "show vtp status" to see the verison. If its version 2 then set it to transparent mode

vtp mode transparent

*** Setup the primary PLVAN
vlan 200 primary


*** Setup your community and isolated vlans
vlan 205
private vlan community

vlan 210
private vlan isolated


*** Go back under the primary vlan 
*** Associate the primary vlan with the secondary vlans 205,210
vlan 200
private-vlan association 205,210
 private-vlan association add 206 (to add another VLAN later)

sh vlan private vlan type

*** Add interfaces to community VLAN
int fa1/0/4
switchport mode private vlan host
switchport private vlan host association 200 205 (primary vlan, secondary vlan)

int fa1/0/5
switchport mode private vlan host
switchport private vlan host association 200 205 (primary vlan, secondary vlan)

*** Add interface to isolate vlan
int fa1/0/6
switchport mode private vlan host
switchport private vlan host association 200 210 (primary vlan, secondary vlan)

*** Set up the promiscuous port (towards the router/GW) 
*** Map the primary vlan 200 to the secondary vlans 205 and 210
int fa1/0/1
switchport mode private-vlan promiscuous
switchport private vlan mapping 200 205,210 (what PLANS it should respond to)

*** show command
sh vlan private-vlan
show interface switchport
show interface fa0/1 switchport

VACL
vlan access-map ge1
match ip address tn1
action redirect gigabitethernet 4/1
exit
vlan filter ge1 vlan-list 22-33

AAA on switches

Authentication - Validates who you are
Authorization - What you can do
Accounting - Tracks what you did / logging

You can download a free radius server for linux or install NPS on windows server

Cisco TACACS+ is Cisco's offering which is paid
On server 2003 have to tick the box for unauthenticated but its 
Google how to setup up radius server on windows for cicso. You need to set up policies.
need to find attribr values like "shell:priv-lvl=1" this is actually user mode.
"shell:priv-lvl=15" is exec mode.

aaa new-model
aaa authentication login default group radius local (all logins will go through radius if they are down it will use the local database)
aaa authentication login NO-LOGIN none
line con 0
exec-timeout 0 0
logging synchronous
login authentication NO-LOGIN (don't ask for logins on the console)
radius-server host 172.30.1.1
radius-server key cisco 
aaa authorizaition exec default group radius if-authenticated 
(if-authenticated lets you keep working if radius servers go down wile logged in)

debug radius authentication

SPAN and RSPAN

Sometimes we need to watch the traffic with wireshark. Its only good when we can see the traffic. Switchport anayser

monitor session 1 source int fa0/12 both
monitor session 1 destination int fa0/1

*** Note status of interface / source port in an active SPAN will be up (connected)

Anything send/recieved on port 12 will be sent to out port 1. We can have the wireshark here watching the traffic.

SPAN is great when we are sitting beside the switch. What about a remote switch ? Make a RSPAN VLAN and trunk it to your workstation

On remote switch
vlan 999 (will have to be added into trunks)
remote-span
exit
minitor session 1 source int fa0/10 both
monitor session 1 destination remote vlan 999 reflector-port fa0/11
Reflector port gives up its asic resources. Make sure its not in use

On the local switch
vlan 999
remote-span
exit
monitor session 2 source remote vlan 999
monitor session 2 destination interface fa0/1

RSPAN recap 
1 - Setup RPSPAN vlan on all switches
2 - Setup monitor session 1 source interface (what we want to monitor)
3 - Setup monitor session 1 destination RSPAN VLAN
4 - Setup monitor session 2 source RSPAN VLAN
5 - Setup monitor session 2 destination interface (where we have wireshark)


SPAN and RSPAN


conf t
monitor session 1 source interfaces fa0/1
monitor session 1 destination interface fa0/23

Create your RSPAN vlan that you are not using
Then you can trunk it back through your network

*** Setup the RSPAN vlan on both switches (add to trunks if needed)
conf t
vlan 999
remote-span

*** setup monitor session
monitor session 1 source interface fa0/1
monitor session 1 destination remote vlan 999 reflector-port fa 0/22

*** Setup the destination switch
monitor session 2 source remote vlan 999
monitor session 2 destination interface fa0/5

SNMPv3

SNMPv1 - first implementation

SNMPv2 - added more features but had no real security

SNMPv3 - Addes the ability to do authentication and encryption

OID -  Value for things like CPU usage like 90%
MIB - All the OIDs together and what they mean is the MIB. OID 1.3.6.7 = CPU usage.
Using a monitoring systemyou can monitor (and change) almost anything on devices.

SNMPv3
SNMP view. What they can see.
SNMP group. The view is associated with a group
SNMP user. Usrs are part of groups.

snmp-server view ALL-ACCESS iso included (included means everything below)
snmp-server view INT-ACCESS ifEntry included 

snmp-server group GROUP 1 v3 priv read ALL-ACCESS (priv use auth and encryption)
snmp-server user JACK GROUP1 v3 auth sha UPASSWORD priv aes SKEYPASSWORD (monitoring system needs to support)


How to detect mac flaps cause by STP
mac-address-table notification mac-move
Mac flap = packets arrive at different interfaces with same source mac address


Fix "PBR requires enabling extend routing"
sdm prefer routing 


Send SNMP trap when a broadcast storm is detected
storm-control action trap 

NTP

Time sync is usually and after thought.
NTP is very import for accurate log files for investigating issues after the fact.
3/1/95 at midnight
Time sync is important for certificates

3 ways to sync time
Poll an NTP server 
ntp server 111.111.111.111

Listen to NTP multicasts
Multicast 1 message out to all the hosts listening to NTP multicasts

Listen to NTP broadcasts
NTP server just broadcasts out NTP

NIST will give you free authenticated NTP.

show ntp associations


Cisco Stackwise

Used to connected switches with crossover cable. Had to admin the switches on their own.
Chassis switches all appeared as one switch.
Stackwise lets you link 3750's together. You can add more switches later. Up to 9 switches.
Once switch will be elected as the master.

show switch - can see which one is master
switch 1 priority -  can be used to set the master

If the switches are on different SW versions, the lower version switches will be upgraded, reboot and join the stack.

Just in case add switches to the stack outside business hours as they can cause an outage.

VSS vs Stackwise
At a high level, both sort of accomplish the same goals. VSS is a technology that we see in the 6500, 6800 and 4500 switches. It does not use special cables but establishes a virtual switch link (VSL) between two switches using regular ethernet cables (Gigabit, TenGigabit, etc). VSS is limited to two switches.

Stacking is something we do with 3850, 3750 and 3750x. It uses a special stack cable and is not limited to two switches (some models can stack up to 9 members). This is more of an access layer technology.

Both technologies make the connected switches appear as one.

StackWise vs. VSS: 
StackWise can have more than 2 members, up to 9 on 3750-X.
VSS is always a pair of switches.
Logical result of both is the same
Stack uses dedicated propriatary cables
VSS works over 10gig ethernet (can work on fibre)
VSL (Virtual Switch link) is part of VSS (Virtual Switching System)

VSS
Can be used even in geographically distributed equipment
Is supported only on line 4500 and 6500
Uses 10Gbps interfaces

Stack:
Can be connected in up to 9 devices
Is supported only on line 3750 and (2960/3650/3850/3750+)
Uses proprietary cable for connection (a little over 10gbps)

Practice test notes

Verify inter vlan routing
Verify trunks on RTR
show ip route
show ip interface brief

Encsure encapsulation command is setup
int fa0/0.20
encapsulation dot1q 20
ip address 172.10.4.1 255.255.254.0
no shutdown

Check native VLAN
show int fa0/1 trunk
show interfaces trunk

Trunk port setup
switchport trunk encapsulation dot1q
switchport native vlan 2
switchport trunk allowed vlan 10,50
switchport mode trunk
switchport no negotiate 






No comments:

Post a Comment